Targeted BEC Scam
17 December 2024
By Mimecast Threat Research team
What you'll learn in this notification
Threat actors deploy deepfake using voice in sophisticated law firm impersonation campaign
- Sophisticated Business Email Compromise (BEC) campaign exploiting DocuSign and Adobe Sign
- Attackers utilize deepfakes to add credibility to their scams
- Primarily targeting Banking, Financial Services and Insurance
Campaign Flow
Mimecast threat researchers have discovered a highly targeted Business Email Compromise campaign. Our analysis reveals increasingly sophisticated techniques being used to make BEC emails appear legitimate.
Initial email
The campaign begins with an email sent via trusted services, such as DocuSign and Adobe Sign, falsely claiming to be from a law firm. The email requests that the recipient sign a document and call a provided phone number, which is not associated with the law firm.
This campaign appears to be highly targeted, and the law firm details in these initial emails indicate the threat actor may have prior knowledge of a working relationship with the target business. Once the victim calls the number, they will speak with the threat actor impersonating someone from this law firm.
The victim is then instructed to email an address with a domain resembling the legitimate law firm's domain, creating an email relationship with this suspicious address. This address will then be used for further communication as a trusted sender for this user.
The domains used in the initial email, along with similar domains linked to law firms, predominantly rely on Eranet International Limited for hosting and Hostinger for their name servers. Both providers have a history of extensive abuse by threat actors and play a crucial role in the current infrastructure of this threat actor.
Follow up communication
Once the connection is established, the threat actor uses the suspicious address to send a fraudulent invoice requiring payment. To give further legitimacy to this campaign, the victim will receive a deepfake phone call in some cases using WhatsApp impersonating a CEO or someone who is authorized to approve the transfer. The amounts requested are likely to be significant and should be treated with extreme caution.
The files shared with the target company appear to also have some pattern
Mimecast Protection
We have identified several attributes in the campaigns which have been added to our detection capabilities. View the Advanced BEC Protection page to learn more about how our advanced AI and Natural Language Processing capabilities to aid in detections of evolving threats.
Targeting:
Primarily US and UK, across Banking, Financial Services and Insurance.
Detections outside of those regions and verticals have been detected as well.
IOC’s
Initial Reply-To Domain
mail-sign[.]com
n4a-doc[.]com
doc-sign[.]net
ds-sign[.]net
mail-doc[.]net
n4a-doc[.]net
en1-docusign[.]net
6-docusign[.]com
en10-docusign[.]net
sign-en1[.]com
doc-docusign[.]com
a-docusign[.]com
7-docusign[.]com
en2-docusign[.]com
2-docusign[.]com
en-docusign[.]com
sign-doc[.]net
sign-mail[.]com
sign-acrobat[.]com
doc-docusign[.]net
8-docusign[.]com
dse-sign[.]com
dse-doc[.]net
sign-n4a[.]net
n4a-dse[.]net
dse-n4a[.]net
n4a-ds[.]com
n2a-dse[.]com
dse-n2a[.]net
n2a-dse[.]net
dse-n2a[.]com
b-docusign[.]com
ds-n4a[.]com
sign-en3[.]com
sign-en2[.]com
n4a-sign[.]net
mail-sign[.]net
doctosign[.]tech
Recommendations
- Conduct awareness sessions for employees about BEC tactics and how to identify phishing attempts.
- Educate end users around the continued trend of legitimate tools being used in malicious campaigns.
- Implement verification protocols for any unexpected or suspicious emails purportedly from Law firms using Docusign and Adobe Sign, especially those requesting sensitive information or financial transactions.
- Always report any phishing or BEC scam email to Mimecast or your email security provider.
Scam Reporting
Mimecast is actively working with services such as Docusign to help tackle the misuse of these trusted services.