DocuSign Phish Weaponizes Google Maps as a Redirect Proxy to Amazon S3

A high-fidelity DocuSign-themed phishing email targeted an employee at a mid-size technology company by embedding a legitimate forwarded legal thread to dilute detection; the visible CTA used maps.google.be as a redirect to an Amazon S3-hosted credential harvesting page. The message originated via a Kagoya-hosted mailserver with malformed headers, SPF passing for the envelope domain, absent DKIM, and heuristic DMARC handling; IRONSCALES flagged the anomalous sender and CTA-destination mismatch before user interaction. Indicators include the Google Maps redirect URL, the S3 bucket URL, sender domain lcivy.co.jp, and two source IPs.