Even for a security product company, phishing emails are a regular occurrence. Most are easily caught by filters. But every so often, one slips through—and when it does, we learn from it.

Recently, one such phishing email made it past our email security defenses and landed in our co-founder’s inbox. Upon receiving it, they promptly forwarded it to our threat research team. What followed was a deep dive into an attempted attack that leveraged trusted platforms and advanced evasion tactics. Below is a breakdown of what we uncovered, including how the phishing attempt operated, why it matters, and what others can learn from it.

The Phishing Email, BEC

This phishing email came from a legitimate-looking domain, one that was registered over 35 years ago and with a good reputation—details likely intended to increase trust and reduce suspicion. We suspect the sender's email address is from an prior business email compromise (BEC) attack. 

The sender’s name showed as “HR|DEPARTMENT”, and the subject line referenced financial incentives: “1st Quarter Profit Sharing Plan & Salary Increase 2025 (401k) Ref: XXXXXXXXX”.

Including a reference number is a tactic we’ve observed before—it can make an email feel more official, and, if the number is unique, it can be used to track recipients if the content is shared or uploaded to security analysis platforms.

‍

‍

At the bottom of the email were two notable features:

• An embedded image of a man in a suit labeled <a_user’s_name>.jpg, which a reverse image search shows it is of someone in the real estate industry—possibly linked to the sending domain, though the connection is unclear. The name of the JPG also differs from the user name in the email address.
  
  
• A dense legal-style footer including “Confidentiality” and “IMPORTANT” notices warning about email-based fraud and prohibiting sharing or distributing the message—another layer intended to appear professional and dissuade scrutiny.

‍

‍

We are unsure if the above two features are part of the user’s regular email footer or were added by the attacker to appear more professional and trustworthy. 

The body of the email included a prominent button labeled “Review Bonus.pdf,” but rather than linking to an actual PDF, the button redirected users to a DocSend page.

‍

‍

DocSend: Another Abused Platform

The email’s “Review” button linked to a document hosted on DocSend—a legitimate service, owned by Dropbox, often used for securely sharing documents. The intermediary phishing page mimicked the look and structure of a DocuSign e-sign notification. It also displayed messages like “Secure Document Notification” and “Signed Agreement—Secure File”, with a button labeled “Access Document.”

We’ve seen platforms like DocSend increasingly abused in this intermediary role, serving as a trustworthy-looking bridge between phishing emails and credential theft attempts.

‍

‍

Legitimate CAPTCHA: A Common Evasion Technique

Clicking “Access Document” led to a .ru domain that displayed a legitimate hCaptcha challenge on an otherwise empty page. While fake CAPTCHAs are commonly used in phishing, legitimate ones like this are also employed to:

• Slow down automated analysis
• Give users a false sense of security
• Hide the next step of the phishing chain from automated scanning tools

‍

‍

Phishing for Google Credentials…and More?

After passing the CAPTCHA, users were taken to a convincing-looking Google login page—a complete fake.

‍

‍

Behind the scenes, we found heavily obfuscated JavaScript. One layer used a Caesar shift cipher, followed by a base64-encoded string over 149,000 characters long. We're still dissecting the full purpose of the code, but what’s clear is that this phishing page has web proxying behaviors and contains several anti-analysis techniques designed to detect and react to security tooling and analyst behavior.

‍

‍

Anti-Analysis Measures

This phishing campaign didn’t stop at obfuscation. The fake Google page included numerous anti-analysis defenses, including:

‍

Conditional redirection to blank page: The page checked for signs of automation or security analysis—such as navigator.webdriver (indicates whether the user agent is controlled by automation), window.callPhantom, or window._phantom (which would indicate the presence of PhantomJS, a headless browser automation tool)—and redirected to a blank page if found. It also did the same for browser user agents tied to the Burp Suite tool.

‍

‍

Disabling inspection tools: The context menu (opened via a right-click) and key shortcuts for opening developer tools were disabled.

‍

‍

Debugger detection and subsequent redirection: If someone attempted to open the browser’s debugger, the page would redirect to the real Google login page—a double-edged sword for attackers, as it can potentially delay inspection, but it definitely raises a bright red “I’m malicious” flag.

‍

Evidence of a Phishing Campaign

Our analysis suggests this was not an isolated incident. Through VirusTotal, we discovered an .eml file of a similar phishing email—one that also referenced 1st quarter financial bonuses and included a DocSend URL.

This indicates a broader campaign affecting multiple organizations—not just us.

‍

‍

The second DocSend file URL shown above resolves to a strikingly similar DocSend document that is different from—but is strikingly similar to—the one in our attempted phishing. This DocSign also leads to the same malicious .ru domain—but a different subdomain.

‍

Conclusion

This attempted attack is a reminder that phishing may start in your inbox, but it’s carried out on the wild wild web—where attackers have far more free rein to deceive, evade, and exploit. Legitimate emails are being exploited. Trusted web platforms are being repurposed. CAPTCHAs—fake and legitimate—are part of the ruse. And attackers are using anti-analysis and obfuscation techniques—all to bypass detections, exploit trust, and gain business-critical credentials.

In this case, our teammate escalated the phishing email to our research team and caused no damage. But when we receive such attempted threats, we take the opportunity to test our detections against them, close any visibility and detection gaps, and ensure our customers’ browser interfaces are protected. By sharing what we saw, we hope to help others recognize similar phishing tactics against their organization.

‍