DocuSign Plus Invoice: A 12-Day-Old Domain and an esvalabs Redirect Chain That Scanners Missed

A high-severity phishing campaign used a dual pretext (DocuSign notification + invoice thread), a clean PDF attachment as legitimacy, and a multi-hop redirect chain via urlsand.esvalabs.com to deliver credential-harvesting pages; the sender domain twitterbugg.com was a 12-day-old, privacy-protected registration sending authenticated email through Amazon SES, and Themis quarantined the messages after identifying the converging suspicious signals.