Trusted Service Phishing (DocuSign, SharePoint, etc.)
Attackers abuse legitimate platforms like DocuSign, SharePoint, and Dropbox to host phishing content, bypassing email security by leveraging trusted domains and services.
MITRE ATT&CK: T1566.002Timeline: The Cat and Mouse
2018 β Attack emerges β 2020 β Platforms respond β 2023 β Attackers adapt β Present
The Evolution
| Phase | Period | What Happened |
|---|---|---|
| CONTEXT | 2017 | URL reputation checking becomes standard in email security |
| ATTACK | 2018 | Attackers discover trusted domains bypass reputation checks |
| PEAK | 2019-2020 | DocuSign, SharePoint, Dropbox abuse becomes widespread |
| RESPONSE | 2020 | Platforms deploy abuse detection (DocuSign, Microsoft) |
| Β | 2021 | SEGs add click-time URL inspection with redirect following |
| Β | 2022 | ML-based brand impersonation detection |
| ADAPTATION | 2023 | QR codes in documents, nested trust chains, multi-platform hops |
| CURRENT | Present | Active cat-and-mouse; platforms canβt fully solve |
Key Events with Sources
| Date | Event | Significance | Source |
|---|---|---|---|
| 2018 | Trusted domain abuse emerges | Attackers exploit DocuSign/SharePoint reputation | Cofense |
| 2019 | DocuSign abuse reporting | DocuSign adds phishing abuse reporting system | DocuSign |
| 2020 | Microsoft SharePoint scanning | Enhanced scanning for phishing content on SharePoint | Microsoft |
| 2021 | Click-time URL inspection | SEGs follow redirect chains at time of click | Proofpoint |
| 2023 | Cross-platform intelligence | Platforms begin sharing abuse intelligence | Anti-Phishing Working Group |
Overview
Trusted service phishing exploits the reputation of legitimate platforms to deliver phishing content. By hosting malicious pages on DocuSign, SharePoint, Dropbox, Google Drive, and similar services, attackers bypass email security filters that trust these domains. The victim receives an email from or containing links to a legitimate service, making detection extremely difficult.
The Attack
How It Works
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EMAIL (from notifications@docusign.com or similar) β
β β
β Subject: Please review and sign: Contract Agreement β
β β
β John Smith has sent you a document to review and sign. β
β β
β [Review Document] β Links to real DocuSign/SharePoint β
β β
β SPF: Pass | DKIM: Pass | DMARC: Pass β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
Victim clicks legitimate service link
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LEGITIMATE PLATFORM (docusign.com / sharepoint.com) β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β "To view this document, please verify your β β
β β identity by signing in with Microsoft 365" β β
β β β β
β β [Microsoft Login Button] β Redirect to phish β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
Victim enters credentials on fake login page
Commonly Abused Services
Document Signing:
- DocuSign
- Adobe Sign
- HelloSign
- PandaDoc
Cloud Storage:
- SharePoint/OneDrive
- Google Drive
- Dropbox
- Box
Collaboration:
- Microsoft Teams
- Slack (link previews)
- Notion
- Confluence
Forms & Surveys:
- Microsoft Forms
- Google Forms
- Typeform
- SurveyMonkey
Other:
- SendGrid/Mailchimp (email delivery)
- Calendly (meeting invites)
- Canva (design sharing)
- WeTransfer (file transfers)
Why It Bypasses Security
Domain Reputation:
- docusign.com is trusted globally
- sharepoint.com is enterprise-standard
- URLs pass reputation checks
- Email filters whitelist these domains
Legitimate Email Infrastructure:
- Real service sends the email
- SPF/DKIM/DMARC all pass
- Headers are legitimate
- No spoofing detected
User Expectation:
- Users expect DocuSign requests
- SharePoint sharing is normal business
- Clicking these links is routine
- No suspicion raised
DocuSign Abuse Techniques
Technique 1: Embedded Credential Harvesting
1. Attacker creates free DocuSign account
2. Uploads document with "Sign in to view" message
3. Embeds link to phishing page within document
4. Sends via DocuSign to victim
5. Victim clicks legitimate DocuSign email
6. Document contains link to credential harvester
Technique 2: Brand Impersonation
1. Create document styled as Microsoft/Google login
2. Include fake "authentication required" message
3. Link leads to look-alike login page
4. Victim sees DocuSign URL, trusts it
Technique 3: QR Code in Document
1. Upload document containing QR code
2. QR code links to mobile phishing page
3. Bypasses desktop URL scanning entirely
4. User scans on phone, enters credentials
SharePoint/OneDrive Abuse
Shared File Notifications:
Subject: John shared "Q4 Financial Report.xlsx" with you
[Open] β Links to real SharePoint
SharePoint page contains:
- "Session expired - sign in again"
- Fake Microsoft login overlay
- Or redirect to external phishing site
Forms Hosted on SharePoint:
1. Create SharePoint site
2. Add Microsoft Form requesting credentials
3. Style to look like IT security verification
4. Share link via email
5. URL is *.sharepoint.com - trusted domain
Multi-Stage Attacks
Stage 1: DocuSign email (legitimate)
β
βΌ
Stage 2: DocuSign document with SharePoint link
β
βΌ
Stage 3: SharePoint page with "login required"
β
βΌ
Stage 4: Credential harvester (may be on another trusted service)
Each hop adds legitimacy and confuses URL analysis.
Defenses
Platform-Side Detection
DocuSign, Microsoft, and others now:
- Scan uploaded documents for phishing content
- Detect brand impersonation in documents
- Flag suspicious links within files
- Rate-limit bulk sending from new accounts
- Suspend accounts exhibiting phishing patterns
Email Security Improvements
URL Rewriting + Inspection:
1. SEG rewrites URL to pass through inspection proxy
2. At click-time, follows all redirects
3. Inspects final landing page
4. Blocks if phishing detected
Behavioral Analysis:
- New sender + urgent request = suspicious
- External sharing to many recipients = flag
- Unusual document sharing patterns
User Training
Critical awareness points:
- Legitimate services donβt ask for credentials in documents
- Verify requests through separate channels
- Be suspicious of βsign in to viewβ prompts
- Check URL bar on login pages
Detection Patterns
Suspicious Indicators:
Email from: notifications@docusign.com
BUT
- Unexpected document from unknown sender
- Urgency language ("expires in 24 hours")
- Request for credentials in document
- Links to external sites within document
Attacker Adaptation
Service Rotation
When one platform increases detection:
DocuSign (detected) β Adobe Sign β HelloSign β PandaDoc
Attackers maintain accounts across multiple services.
Legitimate Account Compromise
Instead of creating accounts:
1. Compromise real user's DocuSign account
2. Send phishing from legitimate, established account
3. Recipient sees real sender name
4. Higher trust, better success rate
Nested Trust Chains
Email from Microsoft 365
ββ Links to SharePoint
ββ Document links to Google Forms
ββ Form links to credential harvester
Each layer adds legitimacy.
QR Code Pivot
Platform scans URLs but not QR codes:
1. Generate QR code pointing to phishing site
2. Embed in document image
3. Upload to trusted platform
4. User scans with phone, bypasses all desktop security
Current State
Status: Active
Trusted service phishing remains highly effective:
| Challenge | Why It Persists |
|---|---|
| Domain reputation | Blocking *.docusign.com breaks business |
| Legitimate infrastructure | Real emails, real platforms |
| User behavior | Clicking these links is normal workflow |
| Detection difficulty | Content is on trusted platform |
Platform Response Timeline
| Year | Development |
|---|---|
| 2019 | DocuSign adds abuse reporting |
| 2020 | Microsoft enhances SharePoint scanning |
| 2021 | SEGs add click-time URL inspection |
| 2022 | Platforms implement ML-based detection |
| 2023 | Cross-platform abuse intelligence sharing |
Detection Guidance
Email Analysis
Flag for review:
- DocuSign/SharePoint emails to users who donβt typically receive them
- Bulk document sharing from external sources
- Urgent language + document sharing
- New external senders sharing sensitive-sounding files
User Behavior
Monitor for:
- Credential entry shortly after clicking shared document
- Login attempts from unusual locations after document access
- Users reporting βre-authenticationβ requests
SIEM Correlation
email.sender.domain IN (docusign.com, sharepoint.com, dropbox.com)
AND user.normally_receives_from_service = false
AND email.contains_urgency_language = true
Platform Monitoring
If you control the tenant:
- Monitor SharePoint external sharing
- Alert on Microsoft Forms requesting credentials
- Track OneDrive link sharing to external parties
Response Actions
When detected:
- Block the specific sharing link (not the whole domain)
- Report abuse to the platform
- Check if other users received similar emails
- Verify no credential compromise occurred
What Killed It (or Weakened It)
| Defense | Introduced | Impact |
|---|---|---|
| Platform Abuse Detection | 2020 | DocuSign, Microsoft, and others deploy ML to detect phishing hosted on their platforms |
| Enhanced URL Inspection | 2021 | SEGs follow redirect chains and inspect final landing pages |
| Brand Impersonation Detection | 2022 | ML models identify fake login pages even on legitimate domains |