The Growing Threat of Docusign Phishing Attacks
Summary:
Cado Security Labs recently uncovered a DocuSign spear-phishing campaign targeting tech executives. These campaigns mimic authentic DocuSign communications, luring recipients to input their credentials on fraudulent websites. The phishing emails typically claim that a document requires the recipient’s signature and provide a link that redirects to a credential-stealing site. Stolen credentials are then used for further attacks, such as business email compromise scams or sold on underground marketplaces.
A notable tactic in these campaigns involves using compromised Japanese business email accounts to send phishing emails. This approach leverages the high reputation of Japanese domains, making them less likely to trigger spam filters compared to domains like .ng or .ru. In one instance, an email with the subject “BIYH-QPVSW-3617 is ready for your review” appeared to originate from a Japanese email domain and included a “Review Document” button redirecting users to a link hosted on a legitimate marketing service. The link, though down during analysis, may have been used for tracking email engagement or redirecting to a phishing site. Another email used a legitimate email thread between companies to make the phishing attempt more convincing, directing victims to a malicious site with obfuscated JavaScript code designed to mimic a Google Workspace login page.
The phishing script in these campaigns uses base64 encoding and a series of conditional statements to deliver its payload. It checks the current page URL against the phishing domain, executing code if they match. The final payload includes an HTML form designed to steal user credentials under the guise of a legitimate login page. Users who interact with the fake page are redirected to another phishing site, which was down during analysis but likely aimed to harvest further credentials.
Analyst Comments:
These campaigns exploit the trusted reputation of DocuSign to deceive users. Threat actors often embed realistic branding, compromised email accounts, and fake email threads to enhance the legitimacy of their attacks. The stolen credentials are repurposed for BEC scams, sold on dark web marketplaces, or used in broader phishing operations.
Suggested Corrections:
To protect against such phishing attempts, it is crucial to be cautious when receiving unsolicited DocuSign emails, especially when they ask for urgent action. Users should always:
https://www.cadosecurity.com/blog/the-growing-threat-of-docusign-phishing-attacks
Cado Security Labs recently uncovered a DocuSign spear-phishing campaign targeting tech executives. These campaigns mimic authentic DocuSign communications, luring recipients to input their credentials on fraudulent websites. The phishing emails typically claim that a document requires the recipient’s signature and provide a link that redirects to a credential-stealing site. Stolen credentials are then used for further attacks, such as business email compromise scams or sold on underground marketplaces.
A notable tactic in these campaigns involves using compromised Japanese business email accounts to send phishing emails. This approach leverages the high reputation of Japanese domains, making them less likely to trigger spam filters compared to domains like .ng or .ru. In one instance, an email with the subject “BIYH-QPVSW-3617 is ready for your review” appeared to originate from a Japanese email domain and included a “Review Document” button redirecting users to a link hosted on a legitimate marketing service. The link, though down during analysis, may have been used for tracking email engagement or redirecting to a phishing site. Another email used a legitimate email thread between companies to make the phishing attempt more convincing, directing victims to a malicious site with obfuscated JavaScript code designed to mimic a Google Workspace login page.
The phishing script in these campaigns uses base64 encoding and a series of conditional statements to deliver its payload. It checks the current page URL against the phishing domain, executing code if they match. The final payload includes an HTML form designed to steal user credentials under the guise of a legitimate login page. Users who interact with the fake page are redirected to another phishing site, which was down during analysis but likely aimed to harvest further credentials.
Analyst Comments:
These campaigns exploit the trusted reputation of DocuSign to deceive users. Threat actors often embed realistic branding, compromised email accounts, and fake email threads to enhance the legitimacy of their attacks. The stolen credentials are repurposed for BEC scams, sold on dark web marketplaces, or used in broader phishing operations.
Suggested Corrections:
To protect against such phishing attempts, it is crucial to be cautious when receiving unsolicited DocuSign emails, especially when they ask for urgent action. Users should always:
- Mark emails that don’t pass SPF, DKIM and/or DMARC as spam / suspicious.
- Educate employees on how to spot phishing emails and actions to take when they identify one.
- Verify the sender’s email address and don’t rely on the alias that’s used by mail clients.
- Avoid clicking links or opening attachments on unsolicited emails.
- Enable 2FA (2-Factor Authentication) on all accounts.
- Verify through DocuSign account, whether the document is legitimate, by logging into DocuSign and accessing Documents or using the Access Code. DocuSign Verify can be used to validate the e-signature.
https://www.cadosecurity.com/blog/the-growing-threat-of-docusign-phishing-attacks