🚨 Challenge #1: Phishing Analysis – DocuSign Impersonation

Ready to sharpen your SOC skills? In this hands-on challenge, you’ll analyze a real phishing attack that impersonated DocuSign to steal user credentials.

This is part of our Real Threats → Real SOC Skills series — your space to build job-ready cyber defense skills through real-world incidents.

:police_car_light: Why This Matters

Most cyberattacks start with phishing. Spotting these signs is a critical line of defense as a SOC (Security Operations Center) analyst.


:test_tube: Your Mission

Act like a junior SOC analyst. You’ve been handed a suspicious DocuSign email. Your task: inspect the message, catch the red flags, and respond like a pro.

:stopwatch: Time to complete: 30–40 minutes
:brain: Skill Areas: Email analysis, phishing detection, user response


:white_check_mark: Your Progress Tracker

▢ 1. Spot the Urgency Trick
▢ 2. Analyze the Sender
▢ 3. Inspect the Link
▢ 4. SOC Knowledge Check
:brain: Total: 4 Tasks

:memo: Copy-Paste Answer Template

📋 Click to expand and copy this answer template
### 📝 My SOC Challenge Submission  

**1. Urgency Clue (Email Body)**  
- 🚩 Red flag phrase: ___  
- 🧠 Why it’s suspicious: ___  

**2. Sender Check (Email Header)**  
- ❌ Suspicious domain: ___ (e.g., docus1gn.com)  
- ✅ Real DocuSign domain: ___  
- 🔍 Is Webflow a legitimate sender? Why/why not: ___  

**3. Link Analysis**  
- 🔗 Suspicious URL: ___  
- 🧪 VirusTotal result (if used): ___  
- ⚠️ Why this domain is risky: ___  

---

### 🧠 Knowledge Check  

1. **Email Authentication**: What 3 email “ID cards” did the phishing message fake or pass?  
2. **CAPTCHA Trick**: Why is “Click any 4 images” suspicious?  
3. **If You Clicked the Link**: What 4 steps should you take right away?  
4. **SOC Response to a Colleague**: How would you reply to a teammate who asked, “Is this email legit?”  
5. **Bonus**: Explain this phishing scam in 1–2 sentences to a non-technical friend.



:magnifying_glass_tilted_left: Task 1: Spot the Urgency Trick

Skill Area: Recognizing urgency and emotional manipulation

:one: Spot the Urgency Trick

“Your document expires in 24 hours! Click here to sign now.”

:small_blue_diamond: Why it’s suspicious:

  • Real companies rarely give 24-hour deadlines
  • Hackers use panic to trick people into rushing

:detective: Task 2: Analyze the Sender

Skill Area: Identifying spoofed senders

Sample header:

Return-Path: <[email protected]> 
From: "DocuSign Support" <[email protected]> 
Reply-To: [email protected] 
Received: from mail.smtp.webflow.io (smtp.webflow.io. [192.168.1.1])

What to notice:

  • docus1gn.com uses a 1 instead of an “i” → typo squatting
  • Legit domains look like secure.docusign.com
  • Webflow is a design tool — not where real DocuSign emails come from

:link: Task 3: Inspect the Link

Skill Area: Detecting malicious links

Phishing link:
https://docusign-review.webflow.io/view

Manual Red Flags:

  • Subdomain mismatch: docusign-review.webflow.iodocusign.com
  • Webflow is legit, but easily abused for hosting fake pages

:wrench: Optional: Scan with VirusTotal and share results!


:brain: Task 4: SOC Knowledge Check

This section checks how well you understood the threat and article.

  1. Email Auth Checks
    In the article, the phishing email passed several email security tests.
    Question: What three authentication checks did it pass?

  2. CAPTCHA Confusion
    Attackers used a fake CAPTCHA that said “Click any 4 images.”
    Question: Why is that suspicious?

  3. Response Steps
    You accidentally clicked a suspicious link like sjw.ywmzoebuntt.es.
    Question: What are the four steps you should take immediately?

  4. SOC User Support
    A coworker forwards this email asking, “Is this real?”
    Question: How would you respond as a SOC analyst?

:light_bulb: Bonus: In 1–2 sentences, explain this phishing attack to a non-technical friend.


:speech_balloon: Share Your Results & Ask Questions

:speaking_head: Post your answers below in the thread — you’ll get feedback and can compare with others.
:trophy: Top submissions will be featured in our next update!

Feel free to ask questions if you’re stuck or need clarification!


:rocket: Keep Going: Master Phishing Detection

Ready to Level Up Your Phishing Skills? Dive deeper into every aspect of phishing analysis with our dedicated Phishing Training Hub.

It’s a constantly growing resource packed with:

  • :books: Structured learning paths from beginner to advanced.
  • :hammer_and_wrench: Free and affordable tools used by SOC analysts.
  • :test_tube: Hands-on labs and interactive quizzes.
  • :light_bulb: Real-world case studies and expert tips.

:blue_book: Glossary Support

Need help with a term? See the Cybersecurity Glossary for simple definitions.


:pushpin: Want more challenges like this?

Check out the full Real Threats → Real SOC Skills Tracker for past entries.

:bell: Don’t miss out — Join the Newsletter

Want the next labs, skill breakdown, solutions, and summit picks in your inbox?

:right_arrow: Join the Crushing Security Newsletter


:memo: Copy-Paste Answer Template

📋 Click to expand and copy this answer template
### 📝 My SOC Challenge Submission  

**1. Urgency Clue (Email Body)**  
- 🚩 Red flag phrase: ___  
- 🧠 Why it’s suspicious: ___  

**2. Sender Check (Email Header)**  
- ❌ Suspicious domain: ___ (e.g., docus1gn.com)  
- ✅ Real DocuSign domain: ___  
- 🔍 Is Webflow a legitimate sender? Why/why not: ___  

**3. Link Analysis**  
- 🔗 Suspicious URL: ___  
- 🧪 VirusTotal result (if used): ___  
- ⚠️ Why this domain is risky: ___  

---