TL;DR A DocuSign-themed signing request reached recipients with full SPF/DKIM/DMARC authentication, a legitimate DocuSign signing link, and no malicious attachment. The only anomaly was a Reply-To header pointing to epayments[@]lead-savingsonline[.]com (an external, privacy-shielded domain with no connection to DocuSign or the sender). The tenant's SCL scored it a 9 (maximum), and a Terms of Use link carried a partial malicious verdict. This is reply-path BEC: the email looks clean because it was sent through genuine infrastructure, but any reply goes directly to the attacker.
Severity: High Business-Email-Compromise Phishing Impersonation MITRE: T1566 MITRE: T1656
The email arrived from DocuSign's infrastructure. SPF passed. DKIM passed. DMARC passed. The signing link pointed to na4.docusign.net. Nothing in the visible message was fabricated.
The trap was in a single header field no recipient sees.
The Reply-To header in this email was set to "Lead Banking"
This is business email compromise using DocuSign as an unwitting relay.
The Authentication Stack That Hid the Attack
Every authentication layer pointed to DocuSign. The connecting IP resolved to mailch.docusign.net, a legitimate DocuSign sending host. WHOIS for docusign.net shows registration to DocuSign, Inc., with a creation date of 1999. The From and Return-Path both carried dse_NA4@docusign.net. No spoofing occurred at the envelope level.
None of those checks inspect the Reply-To header. SPF validates that the sending IP is authorized for the From domain. DKIM validates that the message body was not modified in transit. DMARC validates alignment between the From domain and the authenticated sending path. The Reply-To field sits entirely outside this authentication perimeter.
MITRE ATT&CK T1566 covers phishing, including the legitimate-service-abuse variant where attackers send through platforms that pass all authentication checks. T1656 covers impersonation, which applies both to the DocuSign brand identity used throughout the email and to the "Lead Banking" alias assigned to the attacker's reply address.
What the Tenant's Filters Caught That Authentication Didn't
Despite the clean authentication verdict, the receiving tenant's mail gateway scored this email SCL=9, the maximum value on Microsoft's spam confidence scale. The Forefront anti-spam report carried SFV:SPM and CAT:BULK, signals that community data and content-pattern analysis flagged this message as high-risk regardless of its authentication credentials.
See Your Risk: Calculate how many threats your SEG is missing
The link analysis from the incident added a second signal. The primary signing link at na4.docusign.net and the report-abuse link at protect.docusign.net both scanned clean, consistent with genuine DocuSign infrastructure. The Terms of Use link, however, carried a partial/malicious verdict. Attackers who create a DocuSign envelope control its content, including where legal-footer links resolve. A replaced or manipulated Terms of Use link inside an otherwise authentic-looking envelope is a documented technique for introducing a malicious URL that never appears in the visible call-to-action.
The combination of three signals (attacker-controlled reply-path, maximum spam score from community reputation, and a malicious-flagged footer link) defines this as a deliberate social engineering campaign rather than a misfired bulk mailing.
How Reply-Path BEC Enables the Follow-On Fraud
Reply-path manipulation is particularly effective when paired with a trusted brand because the goal is not to harvest credentials immediately. The attacker sends through a legitimate platform, generates a signing request that appears to require action, and waits. When a target replies to ask about the document (who sent it, what it covers, whether payment or data is required), the response goes to the attacker's mailbox.
From that point, the attacker has an active email thread with a real recipient who has voluntarily initiated contact and confirmed their mailbox is live. Subsequent messages can request wire transfers, W-9 forms, or account credentials with the legitimacy of an ongoing conversation rather than a cold approach. The DocuSign brand framing adds urgency and authority: document-signing requests carry an implicit deadline and an implicit consequence for non-response.
The Reply-To domain used here, lead-savingsonline[.]com, is registered via a privacy service and carries no publicly verifiable organizational identity. The display name "Lead Banking" adds apparent financial context without requiring the attacker to impersonate any specific institution. This is impersonation constructed to look credible to the widest possible target pool rather than tailored to a specific sector.
The Defensive Gap Legitimate Infrastructure Creates
Gateways that rely on authentication reputation have no straightforward path to flag this message. docusign.net is a globally trusted sending domain. Adding it to a blocklist would prevent delivery of legitimate DocuSign notifications across every customer using the same gateway. Gateways that rely on link scanning would see a clean signing link and a clean report-abuse link before encountering the partial verdict on the Terms of Use footer link, which may fall below the threshold for quarantine on its own.
IRONSCALES identified the anomaly through behavioral analysis: the Reply-To domain diverged from the From domain, the reply-path identity ("Lead Banking") had no established relationship with the recipient or the sending DocuSign account, and community signals confirmed this pattern had been flagged across multiple tenants. The mismatch between a fully authenticated envelope and a reply-path pointing to an unverifiable external domain is precisely the signal that header-aware detection surfaces when authentication alone cannot.
Indicators of Compromise
| Type | Indicator | Context |
|---|
| Reply-To address | epayments[@]lead-savingsonline[.]com | Attacker-controlled reply-path; privacy-shielded domain; no connection to DocuSign or legitimate sender |
| Reply-To display name | Lead Banking | Attacker-assigned alias; no verifiable institutional identity |
| Sending domain | docusign[.]net | Legitimate DocuSign infrastructure; SPF/DKIM/DMARC pass; abused as relay |
| Sending host | mailch[.]docusign[.]net | Confirmed legitimate DocuSign sending IP (64[.]207[.]219[.]71) |
| Spam score | SCL=9, SFV:SPM, CAT:BULK | Tenant filter maximum risk score despite authentication pass |
| Link (partial/malicious) | Terms of Use footer link (DocuSign envelope) | Partial/malicious verdict; attacker-controlled envelope content |
| --- |
Email Attack of the Day is a daily series from
IRONSCALES spotlighting real phishing attacks caught by Adaptive AI and our community of 35,000+ security professionals. Each post breaks down a real attack. What it looked like, why it worked, and what to do about it.
/case_study_thumb_telit.webp?width=1136&height=639&name=case_study_thumb_telit.webp)
/Leadership%20Headshots/Audian%20Paxson%20Headshot%201000x1000%20032026.webp?width=100&height=100&name=Audian%20Paxson%20Headshot%201000x1000%20032026.webp)
/Misc%20Icons/icon-red-teaming-agent-gradient-simple.svg)
/Misc%20Icons/icon-phishing-soc-agent-gradient-simple.webp?width=158&height=167&name=icon-phishing-soc-agent-gradient-simple.webp)
/Misc%20Icons/icon-phishing-simulation-agent-gradient-simple.svg)
/Misc%20Icons/icon-nav-encryption.svg)
