Incident Report: DocuSign Impersonated Email Leads to Utility’s Spoofed Login Portal

Over the weekend, WaterISAC received a report that a utility’s Single Sign On (SSO) portal had been replicated and was hosted on a dynamic DNS URL with a [.]ru top-level domain. The incident began with the receipt of a DocuSign impersonated email that led to the utility’s spoofed login portal. WaterISAC thanks the utility for taking the time to share this incident. Members are encouraged to login to the WaterISAC portal for more details.