The DocuSign That Lived on an S3 Bucket (and Couldn't Decide Who Sent It)

**Executive Summary:** A credential-harvesting phishing campaign impersonated DocuSign using a compromised Georgia K‑12 Google Workspace account that passed SPF/DKIM/DMARC; the malicious "Review Document" CTA pointed to an attacker-controlled AWS S3 bucket hosting a fake signing page, and IRONSCALES' behavioral AI flagged and quarantined the messages — the report includes IoCs, MITRE mappings, and remediation guidance.