When Traditional Defenses Fail: How Keepnet’s AI Agent Detected a Real Phishing Attack in My Inbox

Phishing attacks are evolving faster than many of today’s traditional security tools can keep up. This isn’t a theoretical concern—it happened in my own inbox. As the CEO of Keepnet, I received a highly targeted phishing email disguised as a DocuSign agreement addendum, designed to trick me into clicking and signing a fraudulent contract.

Please check the video below where I exposed the docusign phishing email.

Here’s what makes this case so important:

The Failure of Conventional Defenses

Despite multiple layers of enterprise-grade protection, this phishing email slipped through:

• VirusTotal (98 engines): None of the engines flagged the email or its embedded links as malicious.
• Gmail Business (Google Workspace): The message landed directly in my primary inbox—no warnings, no banners.
• Apple Safari: When testing the embedded links, Safari failed to detect or block the malicious redirect chain.
• Microsoft Defender: Did not identify the payload or classify the email as a threat.

This is exactly how many organizations get breached. The assumption that “someone else’s technology will stop it” creates a blind spot—until it’s too late.

What Happened Next: Keepnet’s Incident Responder

Fortunately, our own platform was monitoring. Keepnet’s Incident Responder, powered by its AI Agent, immediately flagged the email as malicious.

The AI Agent didn’t just scan for known signatures or hash values. Instead, it analyzed the intent and behavior:

• The impersonation of DocuSign branding.
• The use of my own name and company to increase trust.
• The suspicious redirect chain hidden behind the “Review & Sign” button.
• The business-context lure (“Addendum to Service Agreement”) designed for urgency.

While other tools looked for yesterday’s malware fingerprints, our AI Agent understood today’s deception tactics.

Why This Matters in the Real World

This isn’t just my story—it reflects a global reality.

• Attackers know how to bypass security tools. They carefully craft phishing emails to appear legitimate, often using compromised or low-reputation domains that pass SPF/DKIM/DMARC.
• Most defenses are reactive. By the time traditional tools update their detection databases, attackers have already moved on.
• Executives are prime targets. As this case shows, attackers use contract and legal lures to target leadership teams where the stakes—and the potential financial impact—are highest.

Keepnet’s Visionary Solution

At Keepnet, we built Incident Responder with AI Agents precisely for this challenge:

• AI-powered threat detection: Goes beyond signatures and heuristics, analyzing the context and psychology of phishing.
• Enterprise-wide protection: Once a malicious email is confirmed, Incident Responder can scan, remove, or quarantine the same threat across all inboxes instantly.
• Business-focused defense: We don’t just protect mailboxes—we protect decision-makers, supply chains, and the bottom line.

Header Analysis

• From Address: ozan@nifty.com
• Appears to impersonate your own name, but from the domain nifty.com (a Japanese ISP/mail service), not your corporate domain (keepnetlabs.com).
• Strong indicator of spoofing / impersonation attempt.

• To Address: ozan@keepnetlabs.com
• Targeted directly at you, a spear-phishing characteristic.

• Authentication Results:
• SPF: Pass
• DKIM: Pass
• DMARC: Pass
• This means the email was legitimately sent through nifty.com servers, but not from your organization. Attackers often register or compromise such accounts to bypass basic security checks.

• Subject Line: “Complete: Addendum to Keepnetlabs_Service Agreement for Review”
• Urgent, business-related, mimicking contractual or DocuSign workflows. Classic phishing lure.

Body & Content Analysis

• Brand Abuse:
• The email header prominently shows “DocuSign” styling, but the sender is not DocuSign.
• A fake DocuSign impersonation attempt.

• Call to Action:
• “Review & Sign” button is designed to look legitimate.
• Uses a redirected URL:
• Primary link: https://click.convertkit-mail2.com/... (a mailing service)
• Redirects to: https://rennoco.eversign.com/...
• This mix of multiple redirectors (ConvertKit → suspicious subdomain → Eversign lookalike) is a high-risk red flag.

• Deceptive Wording:
• “Requested by your contact on behalf of Keepnetlabs” — attacker tries to create trust by referencing your company.
• “Do not share this email” — discourages scrutiny, another social engineering tactic.

Phishing Indicators

This highly targeted attack was a stark reminder that conventional defenses are often no match for today's sophisticated threats. Here are phishing indicators you need to watch:

1. Lookalike Sender: Using nifty.com to mimic your identity.
2. Brand Impersonation: Fake DocuSign formatting.
3. Suspicious Redirects: Link obfuscation via ConvertKit → rennoco.eversign.com.
4. Urgency & Business Context: Legal contract “Addendum” lure.
5. Direct Targeting: Sent specifically to your corporate inbox.

Risk Assessment

Now, I'll explore the essential process of assessing potential risks.

• Likelihood: High — This is not a generic spam, but a tailored spear-phishing email.
• Impact if Clicked: Could lead to credential harvesting, malware delivery, or unauthorized signing of fraudulent documents.
• Trust Level: Do NOT trust — treat as a phishing attempt.

Final Thought

This was a real phishing attempt against me, not a lab simulation. It bypassed 98 threat intelligence engines, slipped into Gmail Business, evaded Safari and Microsoft Defender—yet was immediately caught by Keepnet’s Incident Responder.

That’s why we believe human risk management and AI-driven incident response are the future of cybersecurity. Because when everything else fails, you need a defense that understands both the attacker’s playbook and the human side of the equation.