• United States




Cybercriminals impersonate Outlook and DocuSign to steal your identity

Jan 24, 20184 mins
CybercrimeData and Information SecurityEmail Clients

Attackers are now impersonating popular web services like Microsoft Outlook, DocuSign, and Google Docs to trick you to freely give up your credentials.

laptop security breach password identity theft hacker
Credit: Thinkstock

We recently discussed how cybercriminals target mid to low level employees in multi-stage spear phishing campaigns where attackers will impersonate your colleague, partner, or customer via email. The intention is often to steal your credentials in order to successfully commit fraud against you. Now, we are seeing an extremely large volume of web service impersonation email threats, where attackers cunningly impersonate popular web services such as Microsoft Outlook, Docusign and Google Docs to entice victims into logging into fake websites and ultimately give up their credentials.

Evolving sly cyber fraud tactics

This rise in web service impersonation attacks involves placing a link to a web page that prompts employees to log in; however, they are actually sacrificing their credentials to criminals instead of logging in.

From there, when the unsuspecting victim clicks on the link and is directed to a false sign in page, they will provide attackers with their usernames and password without knowing they had done anything out of the ordinary. After stealing the credentials, the attackers will typically use them to remotely log into the user’s Office 365 or other email accounts and use this as a launching point for other spear phishing attacks. At this point, it becomes even more difficult to detect attackers at work because they will send additional emails to other employees or external partners, trying to entice those recipients to click on a link or transfer money to a fraudulent account.

Traditional email security fails to detect this attack

Unfortunately, these web services impersonation email attacks are not detected by existing email security solutions for several reasons:

  • The links used are typically zero-day where a unique link is sent to each recipient. They never appear on any security blacklists.
  • In many cases, the links included in messages lead to a legitimate website, where the attacker has maliciously inserted a sign in page, and the domain and IP reputation will appear legitimate.
  • Link protection technologies such as “safe links” will not protect against these links. Since the link just contains a sign in page and do not download any malicious viruses, the user will follow the “safe link” and will still enter the user name and password.

Therefore, even with traditional email security technologies enabled, there is nothing preventing the user from providing their credentials to the cunning attacker. The best hope for security to protect users from this type of email borne impersonation attack is by enabling artificial intelligence technologies and training to raise awareness of these types of attacks.

Artificial intelligence security can save the day

AI can be taught to automatically detect and quarantine these emails. In this case, an AI security solution can recognize how a normal email from a popular web service looks based on the signals in the email metadata and body. Here is an example:

You would expect emails from Facebook to come from and include a link to It is very unlikely to receive an email from with a link to Even if the link has a high reputation and does not appear on any blacklists within the context of an email from Facebook, it is extremely unlikely to be legitimate. An AI engine can spot this discrepancy despite the link being reputable and prevent the email from reaching any end users. This is vital as it is guaranteed that someone in your organization will eventually fall for this bait.

Security training is required for all

Historically, security and awareness training were reserved for executives and high-risk individuals with an organization – but now, cybercriminals know this. We have now seen an immense rise in targeting low and mid-level employees that are not trained to sniff out spam and possible email threats. With 90 percent of attacks starting with an email borne threat, it is imperative that every single employee from the CEO on down is trained and tested regularly on their ability to spot suspicious behavior.

Organizations must plan for email threats such as these and many others, train all of their employees, test them on the latest email threats, and work to ensure everyone is a security advocate. Traditional email security will not catch these threats, and not every employee will delete the email, so incorporating a holistic risk prevention strategy with the latest email security technologies such as artificial intelligence and regular security training will best prepare you for the next threat tactic cybercriminals use to try to steal your information.


Asaf Cidon is Vice President, Content Security Services at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Barracuda Sentinel utilizes artificial intelligence to learn the unique communications patterns inside customer organizations to identify anomalies and guard against these personalized attacks.

Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team.

Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.

The opinions expressed in this blog are those of Asaf Cidon, Barracuda Networks and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.