The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure

A Zoho Sign document review request arrived with perfect authentication. SPF passed. DKIM passed. DMARC passed. ARC validated across every hop. The green banner, the logo, the "Review and Sign" button all matched a standard Zoho Sign template. Every link in the message resolved to sign.zoho[.]com. There was nothing for a gateway to flag.

Except the Reply-To pointed to info@admin-director[.]info, a domain with no WHOIS data, no DMARC, and no verifiable connection to any government office.

Zoho Sign as the Authenticated Sender

The email originated from notifications@zohosign[.]com through system-60.transmail[.]net at IP 135.84.80[.]60. Zoho's transactional mail infrastructure handled delivery into the recipient's Microsoft 365 environment. SPF passed because Zoho's servers are authorized senders for zohosign[.]com. DKIM passed under Zoho's signing keys. DMARC aligned. ARC seals validated.

This is the same authentication profile that every legitimate Zoho Sign notification carries. A secure email gateway evaluating sender reputation, authentication results, and link destinations would find a fully trusted platform delivering a routine document signing request. The infrastructure was legitimate because Zoho Sign actually sent the email.

Every Link Clean, Every Domain Trusted

The message contained a primary "Review" CTA linking to sign.zoho[.]com with a sign_id parameter. Additional links included a guest reminder URL and a report-abuse link, both Zoho-hosted. All resolved to Zoho infrastructure. All scanned clean.

There were no external redirects, no newly registered domains in the link chain, and no attachments. A content scanning gateway inspecting URLs and payloads would find nothing actionable. The attack surface was not in the links.

The Reply-To That Exposed the Impersonation

The From header showed notifications@zohosign[.]com. The Reply-To header showed info@admin-director[.]info. The in-message "Sender" field also displayed an admin-director[.]info address. That domain has no discoverable WHOIS registration data and no published DMARC policy.

The document claimed to come from a Connecticut government office. The organization was listed as Information_Department, underscore included. Government agencies do not use underscores in their official names. This formatting detail, combined with the unverifiable domain, points to an impersonation built quickly with a platform account rather than through any legitimate government workflow.

The document carried an expiry date of May 20, 2026, creating time pressure to act before verifying. This is standard social engineering: impose a deadline, invoke authority, and deliver through a platform the recipient trusts.

What Behavioral Detection Identified

Themis, the IRONSCALES Adaptive AI engine, evaluates the gap between what the email claims and what the headers reveal. The Reply-To mismatch between a Zoho platform sender and an unverifiable external domain, the government authority claim with no supporting infrastructure, and the formatting inconsistencies in the organization name are behavioral signals that authentication cannot assess. These patterns identify impersonation at the intent layer, not the infrastructure layer.

Authentication confirmed that Zoho Sign sent this email. It did not confirm who created the signing request or whether the document was legitimate.

See Your Risk: Calculate how many threats your SEG is missing

Indicators of Compromise

MITRE ATT&CK Mapping