Attackers are abusing the electronic agreement management company DocuSign to send phishing links and documents.

Inside the Phishing Attempt

First, a malicious actor registers a free account with DocuSign or compromises another user’s account. They then upload a file to the account.

Next, the attacker sends a DocuSign envelope to their target. The recipient, in turn, receives an email invitation from DocuSign. It prompts them to review and sign an electronic document by clicking on a hyperlinked ‘View Document’ button.

The email evades detection because it’s technically clean. DocuSign’s servers host the phishing link, thus allowing it to successfully land in a recipient’s inbox.

The process for signing a document is the same as with a legitimate file. The only difference is that clicking on the link redirects the recipient. They land on a phishing site designed to steal their login credentials for Dropbox, Microsoft and other services.

This technique works because PDFs, Word documents and other types of files in DocuSign retain their clickability up through the finished page. (DocuSign converts other types of uploaded document files into static PDFs to stop attacks.) A signer can then access the link and/or embedded files when they’re given the option to download the file — even if those resources are malicious.

In another method, an attacker could use a steganography attack. With this, they can spoof one of those supported file types to deliver a malware payload.

Recent DocuSign-Themed Campaigns

The attack described above stands out for its abuse of DocuSign’s platform. But there are plenty of attacks where phishers have faked the service to prey on unsuspecting users.

Back in August 2019, for instance, researchers uncovered a campaign targeting users across multiple verticals. The attack used stolen DocuSign branding. They sent victims to a phishing landing page designed to steal their Office 365 credentials.

DocuSign itself uncovered a phishing operation in April 2021. The attackers sent out fake envelopes from “” addresses. Unlike the attack described above, the emails did not originate from DocuSign.

In September, the service revealed a campaign where attackers hid malicious URLs in legitimate DocuSign envelopes. Those emails mainly came from the domain’s email[.]com and co[.]za. They used subject lines like ‘Bank Confirmation’ and ‘INVOICE.pdf’.

How to Defend Against Phishing Attacks Involving DocuSign

Users can protect themselves against phishing attacks spoofing DocuSign by not opening suspicious email attachments. In addition, consider hovering over embedded links to view the destination of those URLs. Access documents directly from DocuSign’s website. Organizations can build all of these considerations into their security awareness training programs.

At the same time, organizations might consider investing in an email security solution. This can help to scan incoming messages for malicious links and payloads. Such a tool could help to defend against attacks that seek to abuse services like DocuSign.

More from News

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…

Google Ad Scam Makes Millions Using Fake Adult-Only Sites

An advertising fraud scheme that utilized Google Ads and “pop-unders” on adult websites generated estimated millions of ad impressions on stolen content. The campaign was reported by Malwarebytes on December 20, and the scam raked in an estimated $275,000 per month for the perpetrators. Alerted to the scam, Google shut down the fraudulent activity for violating the company’s policies prohibiting the use of Google Ads on adult sites. A pop-under is a type of advertisement that appears behind an open…

Third-Party Risk Contributes to Healthcare Data Breaches

Since 2009, the number of individuals affected by health data breaches in the U.S. has exceeded the country’s population of 331.9 million. As per federal statistics, this means many people have been victims of more than one incident. Unfortunately, the situation seems to be growing worse. In just the last three years, the volume and frequency of breaches have nearly doubled, from 368 in 2018 to 715 in 2021. And during the first half of 2022, the number of data…