While it isn’t necessarily a novel tactic to utilize legitimate resources to aid in phishing campaigns, it is an effective one. Often when an end-user receives a phishing email from a legitimate source such as Adobe Sign, it makes them much more likely to fall for it as many users don’t know how to properly identify a phishing email. Many times, training around phishing states to look for things such as a suspicious title, suspicious sender, or mistakes in the email itself, which a tactic such as the one seen used here avoids. The best defense against a phishing campaign such as this would be to ensure that end-users are educated not only on common ways to identify phishing emails, but on more sophisticated techniques as well. This could be done through either quarterly education, or through internal phishing tests over the course of the year utilizing these new tactics.
https://www.bleepingcomputer.com/news/security/adobe-acrobat-sign-abused-to-push-redline-info-stealing-malware/
