The email claimed a new file had been assigned for review. The subject line read "has assign a new file," a grammar error that a real DocuSign notification would never carry. The sender displayed as "westernbanks | Fax" from 876532@tiendajireh[.]com[.]mx, a Mexican retail domain with no connection to document signing services.
SPF failed at the AppRiver relay hop. DKIM failed. Yet the message landed in the recipient's inbox, carrying a single CTA button labeled "Review & Return Copy" that pointed to a domain registered two days earlier.
The link behind the CTA did not go directly to the attacker's infrastructure. It routed through link.edgepilot[.]com, a URL defense service, then to u106697411.ct.sendgrid[.]net, a SendGrid tracking redirect, before finally resolving to cloud.docusign-electronical-signature-portal[.]com.
That final domain is a textbook case of typosquatting. The misspelling ("electronical" instead of "electronic") is subtle enough to pass a quick visual scan but obvious under inspection. The domain was registered on April 29, 2026, hosted on IP 91.92.41[.]5 in Bulgaria with no PTR record. No legitimate DocuSign infrastructure runs from a Bulgarian IP block with zero reverse DNS.
Each hop in the redirect chain served a purpose. EdgePilot added a layer of URL defense legitimacy. SendGrid added a trusted intermediary domain. By the time a scanner reached the final destination, it had already passed through two reputable services.
The landing page at the typosquat domain did not immediately present a credential form. Instead, it deployed "HumanCheck" anti-bot gating, a JavaScript challenge designed to distinguish human browsers from automated URL rewriting scanners and sandbox detonation tools.
When a security scanner followed the redirect chain, it encountered the HumanCheck page and returned a clean verdict. The actual credential harvesting form sat behind the gate, visible only to human visitors who passed the challenge. This two-layer evasion (redirect chain plus anti-bot gating) ensured that automated analysis never saw the payload.
The email body itself was Base64-encoded, adding a third evasion layer. Content inspection filters scanning for suspicious keywords or brand references in the raw message body would find only encoded text. The footer claimed the message came from "Document Services Team, Inc." described as an Amazon subsidiary, a claim with no verifiable basis.
Themis flagged the convergence of signals that no single check could catch: dual authentication failure (SPF and DKIM), a sender domain with no relationship to document signing, a redirect chain terminating at a two-day-old domain, and a Base64-encoded body obscuring the visual content from pre-delivery inspection.
Authentication told the story plainly. Both SPF and DKIM failed. The message should never have delivered. But relay infrastructure and ARC headers from earlier hops created enough ambiguity for the gateway to pass it through.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context | |
|---|---|---|---|
| Sender Email | 876532@tiendajireh[.]com[.]mx | Mexican retail domain, no DocuSign affiliation | |
| Display Name | "westernbanks \ | Fax" | Unrelated to document signing |
| Relay | encryptdel201.appriver[.]com | AppRiver relay hop, SPF fail | |
| Redirect Hop 1 | link.edgepilot[.]com | URL defense service | |
| Redirect Hop 2 | u106697411.ct.sendgrid[.]net | SendGrid tracking redirect | |
| Landing Domain | cloud.docusign-electronical-signature-portal[.]com | Typosquat, registered Apr 29, 2026 | |
| Landing IP | 91.92.41[.]5 | Bulgaria, no PTR record | |
| Anti-Bot | HumanCheck gating | Blocks automated scanner analysis | |
| Body Encoding | Base64 | Content inspection evasion | |
| Footer Claim | "Document Services Team, Inc." | Unverifiable Amazon subsidiary claim |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | CTA link through redirect chain to typosquat credential page |
| Masquerading: Match Legitimate Name or Location | T1036.005 | DocuSign brand impersonation via typosquat domain |
| Stage Capabilities: Link Target | T1608.005 | Anti-bot gated landing page staged on newly registered infrastructure |
| Attack | What happened |
|---|---|
| How ARC Re-Signing and an IP Allow-List Turned Three Authentication Failures Into SCL -1 | A phishing email claiming to be a OneDrive share from an outlook.com address originated from a county government mail server. |
| The Phishing Link Lived on a Domain That Didn't Exist Nine Hours Earlier | A compromised university student account sent a phishing email that passed SPF, DKIM, and DMARC. |
| SafeLinks Wrapped the Phishing URL With the Recipient's Name on It | Microsoft SafeLinks rewrote a phishing URL and embedded the recipient's email address into the redirect chain. |
| The Rocket Mortgage Notification That Passed DKIM but Led to a Domain With No Mortgage Business | A Rocket Mortgage notification arrived from a compromised Australian consulting firm account with valid DKIM for a Microsoft tenant. |
| The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure | A Zoho Sign document request passed SPF, DKIM, DMARC, and ARC. |