Targeted BEC Scam

17 December 2024

Mimecast threat researchers have discovered a highly targeted Business Email Compromise campaign. Our analysis reveals increasingly sophisticated techniques being used to make BEC emails appear legitimate.

Initial email

The campaign begins with an email sent via trusted services, such as DocuSign and Adobe Sign, falsely claiming to be from a law firm. The email requests that the recipient sign a document and call a provided phone number, which is not associated with the law firm.

This campaign appears to be highly targeted, and the law firm details in these initial emails indicate the threat actor may have prior knowledge of a working relationship with the target business. Once the victim calls the number, they will speak with the threat actor impersonating someone from this law firm.

The victim is then instructed to email an address with a domain resembling the legitimate law firm's domain, creating an email relationship with this suspicious address. This address will then be used for further communication as a trusted sender for this user.

Follow up communication

Once the connection is established, the threat actor uses the suspicious address to send a fraudulent invoice requiring payment. To give further legitimacy to this campaign, the victim will receive a deepfake phone call impersonating a CEO or someone who is authorized to approve the transfer.

The amounts requested are likely to be significant and should be treated with extreme caution.

Mimecast Protection

We have identified several attributes in the campaigns which have been added to our detection capabilities. View the Advanced BEC Protection page to learn more about how our advanced AI and Natural Language Processing capabilities to aid in detections of evolving threats.

Targeting:

Primarily US and UK, across Banking, Financial Services and Insurance. Detections outside of those regions and verticals have been detected as well.

IOC’s

ds-n4a[.]com
​sign-en[.]com
​www.sign-en[.]com
​sign-en1[.]com
​sign-en3[.]com
​sign-en2[.]com
​www.sign-en1[.]com
​www.sign-en3[.]com
​www.sign-en2[.]com
​n4a-sign[.]net
​www.ds-sign[.]net
​www.n4a-sign[.]net
​n4a-docusign[.]com
​www.n4a-docusign[.]com
​mail-sign[.]net
​www.mail-sign[.]net
​www.mail-sign[.]com
​n4a-doc[.]net
​www.n4a-doc[.]net
​mail-doc[.]net
​www.mail-doc[.]net
​mail-sign[.]com
​ds-sign[.]net
​doc-sign[.]net
​n4a-doc[.]com
​doctosign[.]tech
​b-docusign.com

Recommendations

• Conduct awareness sessions for employees about BEC tactics and how to identify phishing attempts.
• Educate end users around the continued trend of legitimate tools being used in malicious campaigns.
• Implement verification protocols for any unexpected or suspicious emails purportedly from Law firms using Docusign and Adobe Sign, especially those requesting sensitive information or financial transactions.
• Always report any phishing or BEC scam email to Mimecast or your email security provider.

Mimecast is actively working with services such as Docusign to help tackle the misuse of these trusted services.

Report DocuSign scam information through their official reporting page at https://www.docusign.com/trust/security/incident-reporting, providing as much detail as possible about the suspicious activity, including any emails, links, or documents you have received.