Phishing attacks continue to dominate the cybercrime landscape as threat actors refine their social engineering tactics to evade detection systems.
The FBI’s Internet Crime Complaint Center (IC3) recorded 193,407 phishing and spoofing complaints in 2024, making it the year’s top cybercrime category and contributing to a staggering $16.6 billion in rep.
Phishing attacks continue to dominate the cybercrime landscape as threat actors refine their social engineering tactics to evade detection systems.
The FBI’s Internet Crime Complaint Center (IC3) recorded 193,407 phishing and spoofing complaints in 2024, making it the year’s top cyber-crime category and contributing to a staggering $16.6 billion in reported losses.
Meanwhile, Group-IB’s High-Tech Crime Trends Report 2025 reveals that phishing activity grew by 22% year-over-year, underscoring the extent to which attackers rely on deceptive tactics to gain initial access.
Among the latest threats, cybersecurity researchers at Group-IB have identified a sophisticated DocuSign impersonation campaign that has been actively targeting organizations since late August 2025.
This campaign represents an evolution in phishing methodology, combining advanced infrastructure with dynamic credential-harvesting techniques to create compelling fake login portals.
Campaign Overview and Tactics
The DocuSign impersonation attacks leverage trusted business communication patterns to deceive recipients during busy workdays.
Attackers send carefully crafted emails that closely mimic legitimate DocuSign notifications, claiming that a new document requires review.
These messages address recipients by their login names and include spoofed sender addresses that frequently mimic the target’s own organizational domain, creating an illusion of authenticity.
The sophistication lies in the technical implementation. When victims click the “Review document” button, they are redirected to URLs hosted on IPFS (InterPlanetary File System) gateways or Amazon Web Services S3 buckets.
These hosting platforms, while legitimate services, are commonly exploited by phishing actors due to their accessibility and the difficulty in quickly blocking malicious content.
The credential-harvesting pages in this campaign are built using LogoKit, a specialized phishing framework designed to dynamically construct convincing login portals in real-time.
As the malicious page loads, it extracts the victim’s email domain from the URL parameter and uses this information to customize the appearance of the fake login screen.
LogoKit fetches visual elements automatically, including background screenshots of the target organization’s website via the thum.io service and corporate favicons through Clearbit or Google’s favicon service.
This dynamic assembly creates a personalized phishing page that closely resembles the victim’s actual login portal, significantly increasing the likelihood of credential compromise.
Technical Indicators and Detection
Security researchers have identified several technical red flags that distinguish these malicious emails from legitimate DocuSign communications.
The most prominent indicator is SPF (Sender Policy Framework) authentication failure due to sender spoofing.
Additionally, the Reply-To header frequently points to unrelated organizations or generic public email providers such as Gmail, rather than official DocuSign addresses.
The URL structure also reveals suspicious patterns. Legitimate DocuSign links never pass recipient email addresses as URL parameters, nor do they redirect to IPFS gateways or AWS S3 storage buckets.
These infrastructure choices are characteristic of phishing operations designed to evade traditional URL blocklisting and maintain operational flexibility.
According to Group-IB’s analysis, attacks increasingly exploit trusted business tools because the familiar branding and professional appearance make fraudulent messages easier to overlook during routine workflows.
The customization capabilities of frameworks like LogoKit enable attackers to scale their operations while maintaining convincing impersonations across multiple target organizations.
Organizations should implement multi-layered email security solutions that include SPF, DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) authentication checks.
Security awareness training should educate employees about the warning signs of phishing emails, particularly focusing on suspicious sender addresses, mismatched Reply-To headers, and unusual URL structures.
Advanced email protection platforms capable of detecting dynamic phishing infrastructure can provide an additional defensive layer against LogoKit-based attacks.
As phishing tactics continue to evolve with increasingly sophisticated technical implementations, organizations must adopt proactive threat intelligence strategies and deploy advanced detection capabilities to protect against credential harvesting campaigns that exploit trusted business communication channels.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.