Ready to sharpen your SOC skills? In this hands-on challenge, you’ll analyze a real phishing attack that impersonated DocuSign to steal user credentials.
This is part of our SOC Threat Deep Dive series — your space to build job-ready cyber defense skills through real-world incidents.
Why This Matters
Most cyberattacks start with phishing. Spotting these signs is a critical line of defense as a SOC (Security Operations Center) analyst.
Your Mission
Act like a junior SOC analyst. You’ve been handed a suspicious DocuSign email. Your task: inspect the message, catch the red flags, and respond like a pro.
Time to complete: 30–40 minutes
Skill Areas: Email analysis, phishing detection, user response
Your Progress Tracker
▢ 1. Spot the Urgency Trick
▢ 2. Analyze the Sender
▢ 3. Inspect the Link
▢ 4. SOC Knowledge Check
Total: 4 Tasks
Copy-Paste Answer Template
📋 Click to expand and copy this answer template
### 📝 My SOC Challenge Submission
**1. Urgency Clue (Email Body)**
- 🚩 Red flag phrase: ___
- 🧠 Why it’s suspicious: ___
**2. Sender Check (Email Header)**
- ❌ Suspicious domain: ___ (e.g., docus1gn.com)
- ✅ Real DocuSign domain: ___
- 🔍 Is Webflow a legitimate sender? Why/why not: ___
**3. Link Analysis**
- 🔗 Suspicious URL: ___
- 🧪 VirusTotal result (if used): ___
- ⚠️ Why this domain is risky: ___
---
### 🧠 Knowledge Check
1. **Email Authentication**: What 3 email “ID cards” did the phishing message fake or pass?
2. **CAPTCHA Trick**: Why is “Click any 4 images” suspicious?
3. **If You Clicked the Link**: What 4 steps should you take right away?
4. **SOC Response to a Colleague**: How would you reply to a teammate who asked, “Is this email legit?”
5. **Bonus**: Explain this phishing scam in 1–2 sentences to a non-technical friend.
Task 1: Spot the Urgency Trick
Skill Area: Recognizing urgency and emotional manipulation
Spot the Urgency Trick
“Your document expires in 24 hours! Click here to sign now.”
Why it’s suspicious:
- Real companies rarely give 24-hour deadlines
- Hackers use panic to trick people into rushing
Task 2: Analyze the Sender
Skill Area: Identifying spoofed senders
Sample header:
Return-Path: <[email protected]>
From: "DocuSign Support" <[email protected]>
Reply-To: [email protected]
Received: from mail.smtp.webflow.io (smtp.webflow.io. [192.168.1.1])
What to notice:
docus1gn.comuses a 1 instead of an “i” → typo squatting- Legit domains look like
secure.docusign.com - Webflow is a design tool — not where real DocuSign emails come from
Task 3: Inspect the Link
Skill Area: Detecting malicious links
Phishing link:
https://docusign-review.webflow.io/view
Manual Red Flags:
- Subdomain mismatch:
docusign-review.webflow.io≠docusign.com - Webflow is legit, but easily abused for hosting fake pages
Optional: Scan with VirusTotal and share results!
Task 4: SOC Knowledge Check
This section checks how well you understood the threat and article.
-
Email Auth Checks
In the article, the phishing email passed several email security tests.
Question: What three authentication checks did it pass? -
CAPTCHA Confusion
Attackers used a fake CAPTCHA that said “Click any 4 images.”
Question: Why is that suspicious? -
Response Steps
You accidentally clicked a suspicious link likesjw.ywmzoebuntt.es.
Question: What are the four steps you should take immediately? -
SOC User Support
A coworker forwards this email asking, “Is this real?”
Question: How would you respond as a SOC analyst?
Bonus: In 1–2 sentences, explain this phishing attack to a non-technical friend.
Share Your Results & Ask Questions
Post your answers below in the thread — you’ll get feedback and can compare with others.
Top submissions will be featured in our next update!
Feel free to ask questions if you’re stuck or need clarification!
Keep Going: Master Phishing Detection
Ready to Level Up Your Phishing Skills? Dive deeper into every aspect of phishing analysis with our dedicated Phishing Training Hub.
It’s a constantly growing resource packed with:
Structured learning paths from beginner to advanced.
Free and affordable tools used by SOC analysts.- Hands-on labs and interactive quizzes.
- Real-world case studies and expert tips.
Glossary Support
Need help with a term? See the Cybersecurity Glossary for simple definitions.
Want more challenges like this?
Check out the full SOC Threat Deep Dive: Learning Series Tracker for past entries.
Don’t miss out — Join the Newsletter
Want the next labs, skill breakdown, solutions, and summit picks in your inbox?
Join the Crushing Security Newsletter