Attackers are abusing the electronic agreement management company DocuSign to send phishing links and documents.

Inside the Phishing Attempt

First, a malicious actor registers a free account with DocuSign or compromises another user’s account. They then upload a file to the account.

Next, the attacker sends a DocuSign envelope to their target. The recipient, in turn, receives an email invitation from DocuSign. It prompts them to review and sign an electronic document by clicking on a hyperlinked ‘View Document’ button.

The email evades detection because it’s technically clean. DocuSign’s servers host the phishing link, thus allowing it to successfully land in a recipient’s inbox.

The process for signing a document is the same as with a legitimate file. The only difference is that clicking on the link redirects the recipient. They land on a phishing site designed to steal their login credentials for Dropbox, Microsoft and other services.

This technique works because PDFs, Word documents and other types of files in DocuSign retain their clickability up through the finished page. (DocuSign converts other types of uploaded document files into static PDFs to stop attacks.) A signer can then access the link and/or embedded files when they’re given the option to download the file — even if those resources are malicious.

In another method, an attacker could use a steganography attack. With this, they can spoof one of those supported file types to deliver a malware payload.

Recent DocuSign-Themed Campaigns

The attack described above stands out for its abuse of DocuSign’s platform. But there are plenty of attacks where phishers have faked the service to prey on unsuspecting users.

Back in August 2019, for instance, researchers uncovered a campaign targeting users across multiple verticals. The attack used stolen DocuSign branding. They sent victims to a phishing landing page designed to steal their Office 365 credentials.

DocuSign itself uncovered a phishing operation in April 2021. The attackers sent out fake envelopes from “” addresses. Unlike the attack described above, the emails did not originate from DocuSign.

In September, the service revealed a campaign where attackers hid malicious URLs in legitimate DocuSign envelopes. Those emails mainly came from the domain’s email[.]com and co[.]za. They used subject lines like ‘Bank Confirmation’ and ‘INVOICE.pdf’.

How to Defend Against Phishing Attacks Involving DocuSign

Users can protect themselves against phishing attacks spoofing DocuSign by not opening suspicious email attachments. In addition, consider hovering over embedded links to view the destination of those URLs. Access documents directly from DocuSign’s website. Organizations can build all of these considerations into their security awareness training programs.

At the same time, organizations might consider investing in an email security solution. This can help to scan incoming messages for malicious links and payloads. Such a tool could help to defend against attacks that seek to abuse services like DocuSign.

More from News

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3). Top Five Cyber Crime Types In the past five…

4 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read