The From header said yshfoodsupply[.]com. The Reply-To said vantage[.]bank. The Return-Path said hansabusad[.]com. Three domains, three organizations, zero overlap. The display name read "Vantage via D0cuSign," with a zero substituted for the letter O.
That is not how DocuSign works. That is not how any of this works.
The email body was a collage. The top section borrowed a DocuSign signing template, complete with the "Review Document" button and the signature-request framing. Below it, Lloyds Banking Group Qualtrics survey blocks appeared, carrying a different visual language entirely. The two halves were stitched together without any attempt at visual coherence, as if the attacker assembled the email from whichever template fragments were available in their phishing kits.
This is the frankenphish pattern: components from multiple brands combined into a single message. Each individual element borrows trust from its source brand. The DocuSign template triggers familiarity with document signing workflows. The Lloyds Banking Group elements add financial authority. Together, they create a message that looks busy and official but makes no logical sense as a communication from any single organization.
SPF returned none for the header.from domain. DKIM returned none. DMARC returned none. The email passed no authentication checks whatsoever, yet still reached the inbox. The message relayed through votiro-relay1[.]prod[.]votiro[.]com, a CDR (Content Disarm and Reconstruction) gateway, which may have contributed to delivery by stripping potentially malicious content while passing the message onward.
The "Review Document" button, the primary call to action in any DocuSign notification, resolved to us[.]list-manage[.]com, a Mailchimp redirect domain. Not docusign[.]com. Not docusign[.]net. A marketing platform redirect. This is ESP abuse in its simplest form.
This destination mismatch is the clearest technical signal in the entire email. Legitimate DocuSign signing links always resolve to DocuSign infrastructure. When the "Review Document" button points to a marketing platform redirect, the email is not a DocuSign notification regardless of how the template looks.
A 580-byte .ics calendar attachment accompanied the email, referencing "Please review the attached document" in the event description but containing no ATTACH property. The calendar invite was a secondary engagement mechanism: even if the recipient ignored the email body, the calendar event would appear in their scheduling application. An inline image file declared as PNG actually contained JPEG content, a MIME type mismatch that indicates template reuse across campaigns without updating asset metadata. The template also referenced ar@candybreak[.]net in configuration fields, another remnant from a previous campaign.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Domain | yshfoodsupply[.]com | From header domain |
| Reply-To Domain | vantage[.]bank | Reply-To mismatch (support@ alias) |
| Return-Path Domain | hansabusad[.]com | Bounce address, third unrelated domain |
| CTA Destination | us[.]list-manage[.]com | Mailchimp redirect (not DocuSign) |
| Calendar | .ics attachment (580 bytes) | No ATTACH property, document review pretext |
| Relay | votiro-relay1[.]prod[.]votiro[.]com | CDR gateway relay |
| Template Remnant | ar@candybreak[.]net | Previous campaign artifact in template fields |
| Display Name | "Vantage via D0cuSign" | Zero-for-O substitution in brand name |
| Technique | ID | Context |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | DocuSign CTA resolves to Mailchimp redirect |
| Masquerading: Match Legitimate Name or Location | T1036.005 | DocuSign template + Lloyds Banking Group survey elements |
| Acquire Infrastructure: Web Services | T1583.006 | Mailchimp list-manage redirect as CTA destination |
| Attack | What happened |
|---|---|
| The Aeroplan Bonus That Came From a Consumer ISP in Melbourne and Landed on a Staging Platform | A spoofed Air Canada Aeroplan email failed SPF, had no DKIM, and was sent from a consumer ISP in Melbourne. |
| The IRONSCALES Agreement Email That Came From Brazil and Left Canva's Fingerprints Everywhere | An email impersonating IRONSCALES referenced a shared agreement file and used IRONSCALES logos, but was sent from a Brazilian domain via Amazon SES. |
| The Tooltip Said Coupa. The Link Said Genesis Cleaning. Only One of Them Was Real. | A phishing email passed SPF, DKIM, and DMARC for a UAE law firm domain while its CTA button displayed a Coupa procurement portal tooltip but linked to an... |
| Every Link Said U.S. Bank. Every Link Went Through Brevo. | A U.S. |
| The DocuSign That Lived on an S3 Bucket (and Couldn't Decide Who Sent It) | A DocuSign phishing email passed SPF, DKIM, and DMARC for a real K-12 school district domain. |