TL;DR Attackers sent a convincing DocuSign notification with a "Review & Sign" button that chained through Google Maps redirects to an Amazon S3-hosted credential harvesting page. The redirect chain defeated URL scanners, and real law-firm footers added legitimacy. IRONSCALES Adaptive AI flagged the behavioral mismatch between sender infrastructure and brand identity before the first click.      Severity: High  Credential Harvesting  Brand Impersonation  MITRE: T1566.002  MITRE: T1598.003    The "Review & Sign" button looked exactly like every DocuSign notification you've ever received. Same blue branding, same layout, same urgency. But the button didn't point to DocuSign. It pointed to Google Maps > then to Amazon S3 > then to a credential harvesting page that looked close enough to a Microsoft login to fool anyone moving fast.  A Redirect Chain Built to Dodge Scanners  The email arrived at a mid-size financial services firm on a Monday morning, formatted as a forwarded legal document awaiting signature. The body included realistic law-firm footers, a bank reference, and multiple legitimate links — all designed to make the one malicious link blend in.  That malicious link: a mapsgooglebe redirect that resolved to a public S3 bucket hosting an HTML page at bucket-secure-cdn-cdn-media-statics3us-east-1amazonawscom/abouthtml. The page mimicked a Microsoft 365 login.  The redirect chain is the whole game here. URL scanners check the first domain, Google, and stop. The S3 destination isn't evaluated until someone clicks, and by then, the scanner has already marked it safe.       Attack Flow       DocuSign Lure Email   →   Google Maps Redirect   →   Amazon S3 HTML Page   →   Credential Harvest     See Your Risk: Calculate how many threats like this your gateway is missing  Why the Gateway Gave It a Pass  Email authentication didn't help. SPF passed, the sending server was legitimately authorized by the envelope domain, a small Japanese web services company with no connection to DocuSign. No DKIM signature. DMARC returned a best-guess pass.  So the email arrived with clean authentication, a trusted redirect domain (Google), and a hosting provider (AWS) that no blocklist is going to flag broadly. The attacker's infrastructure looked legitimate at every checkpoint.          Check   Result   Why It Didn't Help            SPF   Pass ✓   Sending server was authorized - by the wrong domain        DKIM   None   No signature to validate        DMARC   Best-guess Pass   No DMARC record  - receiver inferred "pass"        URL Scan   Safe ✓   Only scanned first hop (Google domain)        IRONSCALES Adaptive AI caught what the static checks missed: the behavioral mismatch between the sender's domain infrastructure (a Japanese web hosting provider) and the claimed identity (DocuSign). Combined with community-reported patterns matching the same S3 bucket across three other organizations, the platform quarantined the message within 90 seconds of delivery, before any recipient clicked.  Your Takeaway  If your email security relies on URL reputation at the first hop, redirect-chain attacks will sail through. Ask your security team: does our scanning follow redirects to the final destination? If the answer is "sometimes" or "I'm not sure" - that's the gap attackers are counting on.  Get a Demo: See how IRONSCALES detects redirect-chain phishing in real time

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

A phishing attack targeting a financial services firm used a convincing DocuSign impersonation email to chain redirects through Google Maps to an Amazon S3-hosted Microsoft 365 credential harvesting page. The attack bypassed standard email security checks: SPF passed via an unrelated Japanese domain, DKIM was absent, DMARC inferred a pass, and URL scanners only evaluated the first hop (Google). The multi-redirect chain is specifically designed to exploit this scanner limitation. IRONSCALES Adaptive AI detected the behavioral mismatch between the sender's infrastructure and DocuSign's brand identity, quarantining the message within 90 seconds. The key takeaway for security teams is to verify whether their URL scanning follows redirects all the way to the final destination.

The DocuSign Email That Wasn’t – A Three-Redirect Credential Harvest