The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure

A high-severity phishing campaign abused Zoho Sign's authenticated delivery to send convincing document-signing requests that used a legitimate Zoho sender and links but contained a deceptive Reply-To/in-message sender ([email protected]) tied to an unverifiable domain; the report provides IOCs, behavioral detection rationale, and MITRE mappings highlighting credential harvesting and impersonation.