The Payroll Notice That HelloSign Delivered on Behalf of a 9-Day-Old Domain

The email looked like every other HelloSign notification. Professional layout, Dropbox Sign branding, CDN-hosted logos, and a prominent "Get Started" button linking to app.hellosign.com. SPF passed. DKIM passed. DMARC passed. Every link pointed to a real HelloSign page. The only problem was the sender: a domain that did not exist two weeks ago, using a legitimate ESP to deliver a fraudulent payroll document for signature.

Legitimate Infrastructure, Fabricated Identity

The message originated from 242.static.mail.hellosign.com at IP 143[.]55[.]234[.]242, a genuine Dropbox Sign mail server. The Return-Path pointed to a HelloSign bounce address. X-Mailgun-Variables metadata confirmed the on_behalf_of_email was hr@filesignportal[.]com.

The domain filesignportal[.]com was registered on 2026-05-22 through NameCheap with WHOIS privacy protection. Nine days old. No public website. No business registration. No prior email history. The attacker created the domain, provisioned a HelloSign account under it, and used the platform to send what appeared to be a routine HR payroll notice.

Because HelloSign sent the message through its own infrastructure, authentication was flawless. SPF validated against HelloSign's published IP ranges. DKIM was signed by mail.hellosign.com. DMARC aligned on the mail.hellosign.com header-from. The sending platform was not spoofed. It was used as designed, by a customer whose identity was fabricated.

Why Every Link Scanned Clean

Link scanners found nothing to flag. The primary signing URL (app.hellosign.com/sign/43b002cb...) resolved to a real HelloSign signing page. The "Get Started" button linked to a legitimate HelloSign session (app.hellosign.com/t/d39a08a9...). Login links pointed to app.hellosign.com/account/logIn. Even the abuse-reporting link directed to dropbox.com/report_abuse.

The entire attack surface lived on the vendor's domain. There was no attacker-hosted phishing page, no redirect chain, no obfuscated URL. The signing session itself was the weapon: if the recipient authenticated and signed, they would be interacting with a document controlled by the attacker's account.

What Made It Detectable

Two signals stood out. The message contained no recipient personalization, just a generic "HR Internal Team" identity with no company name, department, or employee reference. Legitimate payroll documents name the employer, reference a specific pay period, and address the employee directly.

Second, the on-behalf domain was 9 days old. IRONSCALES behavioral analysis flagged the domain age combined with the first-time-sender signal and the nature of the requested action (payroll signature). Authentication was perfect. Context was not.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping