The email looked like a completed document was waiting for a signature. Adobe branding. A professional layout. A clear call to action: review and sign. For anyone who has ever used Adobe Sign for contracts, NDAs, or vendor agreements, the notification was indistinguishable from the real thing.
Except the link did not go to Adobe. It went through two intermediate hops before landing on a credential harvesting page hosted at fameklinik[.]com, a domain registered in 2022 with fully privacy-masked WHOIS records and no connection to Adobe, e-signatures, or document management of any kind.
In April 2026, IRONSCALES detected and quarantined this campaign targeting a mid-size professional services firm. The recipient had never corresponded with the sender before. The e-signature pretext relied on something stronger than a spoofed brand: it relied on the conditioned urgency that e-signature workflows create. When someone tells you a document needs your signature, you do not investigate the sender. You click.
That reflex is exactly what the Verizon 2024 Data Breach Investigations Report describes when it notes that credentials are the most compromised data type in breaches, appearing in 31% of all incidents over the past decade. The FBI IC3 2024 Annual Report documented over 298,000 phishing complaints in 2024 alone, with credential theft driving the majority of downstream account compromises.
The email arrived from an external address the organization had never seen before. The sender name and layout mimicked an Adobe Sign notification, complete with document title references and a completion status indicator. Two distinct CTAs appeared in the body: one branded "Adobe" and another branded "AdobeSign," a subtle inconsistency that most recipients would never notice.
Both CTAs pointed to URLs that did not resolve directly to adobe.com or echosign.com (Adobe's e-signature infrastructure). Instead, they passed through proxied redirect layers, intermediate domains that accepted the initial click, processed a redirect, and forwarded the browser to the next hop. Each redirect added a layer of obfuscation between the email scanner's evaluation and the final destination.
The terminal URL landed on fameklinik[.]com. The domain's WHOIS records were fully privacy-masked, revealing no registrant name, organization, or contact information. The domain had been registered in 2022, giving it enough age to avoid the "newly registered domain" filters that many Secure Email Gateways (SEGs) use as a basic risk signal. Four years of dormancy (or low-volume use) followed by sudden activation for credential harvesting is a pattern that MITRE ATT&CK T1584.001 (Compromise Infrastructure: Domains) documents as a common adversary behavior.
The mixed branding is worth examining. Legitimate Adobe Sign notifications come from a consistent sender domain and use uniform branding. This email used "Adobe" for one CTA button and "AdobeSign" for another. The inconsistency suggests the phishing kit was assembled from multiple template sources, or the attacker deliberately included both variants to increase the chance that at least one looked familiar to the target.
Neither CTA linked to any Adobe domain. The redirect chain used proxied hops, meaning the intermediate URLs acted as pass-through relays rather than landing pages. This defeats link-time URL scanning by SEGs, which typically evaluate only the first URL layer at the moment of delivery. By the time the recipient clicks, the redirect chain resolves to the harvesting page, which may not have been active when the email was first scanned.
The Microsoft Digital Defense Report 2024 highlighted that multi-hop redirect chains have become a standard evasion technique, with attackers routinely inserting two or three intermediate domains between the email link and the final payload. Static URL reputation checks evaluate the first link in the chain. The last link is the one that steals credentials.
See Your Risk: Calculate how many threats your SEG is missing
What makes e-signature phishing particularly effective is the built-in urgency of the workflow. A signature request implies a deadline. A completed document implies someone is waiting. The recipient is not just curious; they feel obligated to act. According to the IBM Cost of a Data Breach 2024 report, phishing attacks that leverage urgency or authority pretexts have a significantly shorter time-to-click than generic spam, with the median time between delivery and first click measured in minutes, not hours.
This campaign also leveraged the trust that Adobe Sign carries as a platform. Adobe is a household name. Organizations use it for legally binding contracts. When the notification says "your document is ready," the mental model shifts from "is this email legitimate?" to "which document is this?" The attacker never needs to prove authenticity. The brand does it for them.
MITRE ATT&CK T1204.001 (User Execution: Malicious Link) captures this dynamic: the attack depends entirely on the user clicking a link, with the social engineering pretext providing the motivation.
Themis, the IRONSCALES Adaptive AI, classified this message as high risk before the recipient opened it. The detection combined multiple signals: an external first-time sender with no prior communication history, a redirect chain that did not resolve to Adobe infrastructure, and behavioral indicators consistent with credential harvesting campaigns observed across the IRONSCALES global community of over 35,000 security professionals.
The message was quarantined. No credentials were entered. No redirect chain was traversed.
| Type | Indicator | Context |
|---|---|---|
| Harvesting Domain | fameklinik[.]com | Terminal credential harvesting page |
| WHOIS Status | Privacy-masked | No registrant information available |
| Domain Registered | 2022 | Aged domain, not newly registered |
| Branding | Mixed Adobe / AdobeSign CTAs | Inconsistent template branding |
| Sender Type | External, first-time | No prior communication with target |
| MITRE Technique | T1566.001 | Phishing: Spearphishing Link |
| MITRE Technique | T1036.005 | Masquerading: Match Legitimate Name |
| MITRE Technique | T1204.001 | User Execution: Malicious Link |
The attacker did not need a perfect replica of Adobe's infrastructure. They needed a close-enough notification, a redirect chain that survived initial scanning, and a harvesting page that loaded after the clicks. The investment was minimal. The credential value, if captured, would have provided account takeover access to internal systems, partner portals, and potentially the e-signature platform itself.
Organizations that rely on e-signature platforms should establish verification protocols for unexpected signing requests: confirm the sender through a separate channel, check the destination URL before clicking, and ensure that email security evaluates redirect chains at click time rather than only at delivery. The phishing lure will keep getting more polished. The redirect chains will keep getting longer. The only constant is the credential form at the end.