Fake DocuSign Emails: Don’t Get Hooked by Phishing Scams
Cybersecurity researchers from Cado Security Labs have uncovered a troubling trend of phishing attacks targeting DocuSign users. These campaigns exploit the trust and convenience associated with electronic signature platforms to deceive individuals into divulging sensitive credentials.
DocuSign phishing attacks often masquerade as legitimate emails, complete with official branding and formats that closely mimic genuine DocuSign communications. Typically, the emails claim a document is awaiting the recipient’s signature, urging them to click a link to access it. However, this link redirects users to malicious websites designed to steal their credentials.
As the report notes, “Frequently, DocuSign phishing campaigns will use legitimate compromised email accounts to send the phishing emails, in an effort to pass Domain Messaging Authentication Record and Conformance (DMARC) checks.” One alarming trend involves the use of compromised Japanese business emails, which are less likely to trigger spam filters compared to domains from regions like Nigeria or Russia.
The report delves into technical details of a recent phishing campaign. One email, with the subject line “BIYH-QPVSW-3617 is ready for your review,” appeared to originate from a Japanese domain, @anabuki-enter.co.jp. It contained a “Review Document” button that linked to a legitimate marketing service, possibly used to track user interactions before redirecting to a phishing site. Another email thread included a legitimate exchange between companies to increase its authenticity, ultimately leading victims to a malicious website hosting obfuscated JavaScript code.
Source: Cado Security Labs
The malicious script utilized base64 encoding to execute various checks and comparisons, ultimately redirecting users to a fake login page designed to steal credentials. One such page even included a Google Workspace login interface with a CAPTCHA check to enhance credibility.
DocuSign phishing campaigns are not isolated incidents but a systemic issue. The credentials stolen in these attacks can be used for Business Email Compromise (BEC) scams or sold on underground marketplaces. As highlighted in the report, “Threat actors on marketplaces sell phishing templates for various services, including DocuSign and Office365, to be used in business-to-business (B2B) scams.”
Tara Gould from Cado Security Labs underscores, “To protect against such phishing attempts, it is crucial to be cautious when receiving unsolicited DocuSign emails, especially when they ask for urgent action.”
