Three Domains, Two Brands, One Frankenphish: The DocuSign Lure That Led to Mailchimp

The From header said yshfoodsupply[.]com. The Reply-To said vantage[.]bank. The Return-Path said hansabusad[.]com. Three domains, three organizations, zero overlap. The display name read "Vantage via D0cuSign," with a zero substituted for the letter O.

That is not how DocuSign works. That is not how any of this works.

A Template Built From Spare Parts

The email body was a collage. The top section borrowed a DocuSign signing template, complete with the "Review Document" button and the signature-request framing. Below it, Lloyds Banking Group Qualtrics survey blocks appeared, carrying a different visual language entirely. The two halves were stitched together without any attempt at visual coherence, as if the attacker assembled the email from whichever template fragments were available in their phishing kits.

This is the frankenphish pattern: components from multiple brands combined into a single message. Each individual element borrows trust from its source brand. The DocuSign template triggers familiarity with document signing workflows. The Lloyds Banking Group elements add financial authority. Together, they create a message that looks busy and official but makes no logical sense as a communication from any single organization.

SPF returned none for the header.from domain. DKIM returned none. DMARC returned none. The email passed no authentication checks whatsoever, yet still reached the inbox. The message relayed through votiro-relay1[.]prod[.]votiro[.]com, a CDR (Content Disarm and Reconstruction) gateway, which may have contributed to delivery by stripping potentially malicious content while passing the message onward.

The CTA That Went to Mailchimp

The "Review Document" button, the primary call to action in any DocuSign notification, resolved to us[.]list-manage[.]com, a Mailchimp redirect domain. Not docusign[.]com. Not docusign[.]net. A marketing platform redirect. This is ESP abuse in its simplest form.

This destination mismatch is the clearest technical signal in the entire email. Legitimate DocuSign signing links always resolve to DocuSign infrastructure. When the "Review Document" button points to a marketing platform redirect, the email is not a DocuSign notification regardless of how the template looks.

A 580-byte .ics calendar attachment accompanied the email, referencing "Please review the attached document" in the event description but containing no ATTACH property. The calendar invite was a secondary engagement mechanism: even if the recipient ignored the email body, the calendar event would appear in their scheduling application. An inline image file declared as PNG actually contained JPEG content, a MIME type mismatch that indicates template reuse across campaigns without updating asset metadata. The template also referenced ar@candybreak[.]net in configuration fields, another remnant from a previous campaign.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping