The email looked like every other HelloSign notification. Professional layout, Dropbox Sign branding, CDN-hosted logos, and a prominent "Get Started" button linking to app.hellosign.com. SPF passed. DKIM passed. DMARC passed. Every link pointed to a real HelloSign page. The only problem was the sender: a domain that did not exist two weeks ago, using a legitimate ESP to deliver a fraudulent payroll document for signature.
The message originated from 242.static.mail.hellosign.com at IP 143[.]55[.]234[.]242, a genuine Dropbox Sign mail server. The Return-Path pointed to a HelloSign bounce address. X-Mailgun-Variables metadata confirmed the on_behalf_of_email was hr@filesignportal[.]com.
The domain filesignportal[.]com was registered on 2026-05-22 through NameCheap with WHOIS privacy protection. Nine days old. No public website. No business registration. No prior email history. The attacker created the domain, provisioned a HelloSign account under it, and used the platform to send what appeared to be a routine HR payroll notice.
Because HelloSign sent the message through its own infrastructure, authentication was flawless. SPF validated against HelloSign's published IP ranges. DKIM was signed by mail.hellosign.com. DMARC aligned on the mail.hellosign.com header-from. The sending platform was not spoofed. It was used as designed, by a customer whose identity was fabricated.
Link scanners found nothing to flag. The primary signing URL (app.hellosign.com/sign/43b002cb...) resolved to a real HelloSign signing page. The "Get Started" button linked to a legitimate HelloSign session (app.hellosign.com/t/d39a08a9...). Login links pointed to app.hellosign.com/account/logIn. Even the abuse-reporting link directed to dropbox.com/report_abuse.
The entire attack surface lived on the vendor's domain. There was no attacker-hosted phishing page, no redirect chain, no obfuscated URL. The signing session itself was the weapon: if the recipient authenticated and signed, they would be interacting with a document controlled by the attacker's account.
Two signals stood out. The message contained no recipient personalization, just a generic "HR Internal Team" identity with no company name, department, or employee reference. Legitimate payroll documents name the employer, reference a specific pay period, and address the employee directly.
Second, the on-behalf domain was 9 days old. IRONSCALES behavioral analysis flagged the domain age combined with the first-time-sender signal and the nature of the requested action (payroll signature). Authentication was perfect. Context was not.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| On-Behalf Domain | filesignportal[.]com | Registered 2026-05-22, NameCheap, privacy-protected |
| On-Behalf Email | hr@filesignportal[.]com | Generic HR identity |
| Sending IP | 143[.]55[.]234[.]242 | HelloSign mail infrastructure |
| Signing URL | app.hellosign[.]com/sign/43b002cb280a0848e1fb668995d02fbd80278e1a | Legitimate HelloSign session |
| Platform | HelloSign (Dropbox Sign) | Used as SaaS delivery vehicle |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Signing URL delivered via e-signature platform |
| Acquire Infrastructure: Web Services | T1583.006 | Attacker provisioned HelloSign account under new domain |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Generic HR identity on fabricated domain |
| Attack | What happened |
|---|---|
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| The Aeroplan Bonus That Came From a Consumer ISP in Melbourne and Landed on a Staging Platform | A spoofed Air Canada Aeroplan email failed SPF, had no DKIM, and was sent from a consumer ISP in Melbourne. |
| The IRONSCALES Agreement Email That Came From Brazil and Left Canva's Fingerprints Everywhere | An email impersonating IRONSCALES referenced a shared agreement file and used IRONSCALES logos, but was sent from a Brazilian domain via Amazon SES. |
| The HubSpot Account Suspension That Came From Flodesk | An account suspension email claimed to be from the HubSpot Team but was sent from a personal domain via Amazon SES. |
| Three Domains, Two Brands, One Frankenphish: The DocuSign Lure That Led to Mailchimp | A DocuSign-themed email stitched together Lloyds Banking Group Qualtrics survey blocks, resolved its CTA to Mailchimp. |