Four Domains, One Email: The DocuSign Homoglyph That Rode a CDR Allow-List

The display name read "Vantage via D0cuSign." The zero replacing the letter O in DocuSign was the quietest part of this attack, and in some ways the least important. Behind that single homoglyph sat four unrelated domains, a Mailchimp redirect, an ICS calendar file, and a CDR relay that overrode every authentication failure to deliver the message clean.

Four Domains, Zero Authentication

The from address belonged to a food supply company: account@yshfoodsupply[.]com. The return-path pointed to an Estonian business domain: postmaster@hansabusad[.]com. The reply-to went to the real bank being impersonated: support@vantage[.]bank. A fourth domain, candybreak[.]net, appeared in the X-Relaying-Domain header.

SPF returned none. DKIM returned none. DMARC returned none. CompAuth returned none with reason=405. By every authentication standard, this message should have been rejected or quarantined. Instead, it was delivered with SCL=-1.

The reason: the message transited a Votiro CDR relay at 44[.]206[.]213[.]130. That relay was on the recipient organization's allow-list. When a message passes through an allow-listed relay, the gateway trusts the relay's judgment and suppresses its own authentication verdict. The allow-list converted total authentication failure into unconditional delivery.

The Payload Stack

The email carried two attachments. The first was invite.ics, a 580-byte calendar file designed to plant a persistent event on the recipient's calendar. Even if the recipient deletes the email, the calendar entry can survive with attacker-controlled content, links, and reminder notifications.

The second was document.png, a 339KB file served with a JPEG content type despite the PNG extension. This MIME type mismatch is a minor evasion technique: some attachment scanners make filtering decisions based on the declared content type rather than the actual file signature.

The primary CTA, labeled "Review Document," routed through us[.]list-manage[.]com, a Mailchimp redirect domain. The email also contained blocks referencing multiple financial brands and a survey platform, creating multi-brand confusion that makes it harder for recipients to determine which organization actually sent the message.

See Your Risk: Calculate how many threats your SEG is missing

What Behavioral Detection Found

Themis scored the message at 66% confidence and flagged the recipient as a VIP. One mailbox was quarantined. The X-Mailer header claimed iPhone Mail (18E212), suggesting a casual mobile send, but the relay chain and multi-domain infrastructure contradicted that claim entirely.

The detection surface here was not authentication (which returned nothing useful) but structural. Detecting phishing like this requires looking at four mismatched domains, a homoglyph in the display name, a CTA routing through a marketing platform, and a calendar file bundled with an image attachment. Each element in isolation might be explainable. Together, they form a pattern that behavioral analysis can act on even when authentication cannot.

What to Watch For

Audit CDR relay allow-lists and evaluate whether messages transiting those relays should inherit blanket trust or still undergo authentication checks. Three or more unrelated domains in From, Return-Path, and Reply-To fields is a high-confidence indicator regardless of the SCL score. Inspect display names character by character. A zero in "D0cuSign" is invisible at reading speed.

Indicators of Compromise

MITRE ATT&CK Mapping