DocuSign Impersonation Wave Leveraging Real-Time LogoKit Customization
Group-IB has identified a sustained wave of DocuSign impersonation campaigns that leverage real-time page customization to deliver highly convincing credential-harvesting attacks. These campaigns abuse the trust users place in widely adopted business platforms by closely mimicking legitimate DocuSign document notification emails. Messages are professionally formatted, address recipients by their login names, and frequently spoof sender addresses to resemble the victim’s own organization, creating the appearance of an internal workflow. Rather than relying on static phishing kits, threat actors deploy LogoKit, a dynamic phishing framework that assembles fake login pages in real time using victim-specific data. This approach allows attackers to rapidly scale operations while maintaining a high degree of authenticity, significantly increasing the likelihood of user interaction during routine business activity. The attack chain exploits permissive email authentication configurations and trusted cloud infrastructure to evade traditional defenses. Emails commonly fail SPF checks and contain mismatched Reply-To headers pointing to unrelated domains or public email providers, yet may still reach inboxes in environments without strict enforcement. Embedded links redirect victims through IPFS gateways or AWS S3 buckets, passing the target’s email address as a URL parameter that LogoKit uses to dynamically construct a customized login portal. Visual elements, including background screenshots and favicons, are fetched in real time from legitimate services, enabling the phishing page to closely resemble the victim’s actual authentication environment. Effective mitigation requires strict enforcement of SPF, DKIM, and DMARC, continuous monitoring of cloud-hosted phishing infrastructure, and time-of-click analysis capable of detecting credential-harvesting behavior at the moment of user interaction.
Chinese Tap-to-Pay Malware Ecosystem Enables Remote NFC Payment Fraud at Scale
Researchers have uncovered a mature, rapidly expanding ecosystem of NFC-enabled Android malware, commonly referred to as Ghost Tap, that is being developed, marketed, and sold within Chinese cybercrime communities on Telegram. These tools enable threat actors to remotely relay NFC communications between a victim’s bank card or mobile wallet and attacker-controlled devices, allowing fraudulent tap-to-pay transactions to be conducted as if the physical card were present. Multiple malware variants, including TX-NFC, X-NFC, NFU Pay, and PhantomCard, have been observed, with over 54 distinct APK samples identified, many masquerading as legitimate financial or utility applications. Victims are primarily targeted through smishing and vishing campaigns that coerce them into sideloading malicious APKs and tapping their payment cards on infected devices, at which point payment data is relayed in real time through attacker-operated command-and-control infrastructure. The operational model extends beyond individual victim targeting and incorporates professionalized cash-out mechanisms and mule networks. Stolen NFC payment data is monetized using illicitly obtained point-of-sale terminals advertised directly within Telegram channels affiliated with malware vendors, with Group-IB documenting at least $355,000 in fraudulent transactions tied to a single POS vendor between November 2024 and August 2025. In parallel, some actors preload compromised cards into mobile wallets and deploy global mule networks to conduct in-person purchases, a tactic corroborated by multiple international arrests and advisories from law enforcement, financial institutions, and payment networks. Technically, these applications leverage Android’s NFC and host card emulation features, relay APDU commands over WebSocket or MQTT channels, and employ obfuscation and custom builds tailored to regional fraud operations. Organizations and users can reduce exposure to NFC-based tap-to-pay fraud by restricting application installation to official app stores, disabling NFC when not in use, enforcing mobile device management and fraud monitoring controls, and rapidly flagging anomalous contactless transactions indicative of relay attacks.
Phishing Actors Exploit Mail Routing and Misconfigured Protections to Impersonate Internal Senders
Microsoft Threat Intelligence has identified a growing wave of phishing campaigns that abuse complex mail routing scenarios and improperly configured spoofing protections to deliver emails that appear to originate from inside victim organizations. These messages bypass user suspicion by using the organization’s own domain in both the sender and recipient fields, creating the illusion of legitimate internal communications. This technique has been increasingly adopted by phishing-as-a-service platforms, most notably Tycoon2FA, to distribute credential-harvesting lures at scale. The campaigns are opportunistic rather than targeted, impacting organizations across multiple industries with themes including voicemails, HR notices, shared documents, and password expiration alerts. Unlike traditional spoofing, this activity does not rely on domain lookalikes or compromised accounts; instead, it exploits gaps in email routing logic and enforcement. While Microsoft blocks the majority of these attempts, misconfigurations allow a subset of messages to reach inboxes or spam folders where users may still interact with them. The attack vector primarily affects tenants whose MX records do not point directly to Microsoft 365 and who have not enforced strict SPF, DKIM, and DMARC policies. In these environments, authentication failures may be detected but not acted upon due to permissive settings or incorrectly configured third-party connectors, allowing spoofed messages to be delivered. Threat actors leverage this weakness to conduct both credential phishing and financial scams, including fake invoice fraud and business email compromise-style payment requests. The emails often route victims through trusted services, such as Google URLs or custom CAPTCHA pages, before landing on Tycoon2FA phishing infrastructure designed to bypass MFA via adversary-in-the-middle techniques. Organizations can reduce exposure by enforcing SPF hard-fail and DMARC reject policies, auditing all mail connectors and routing paths, and adopting phishing-resistant MFA to limit the impact even if credentials are exposed.
