DocuSign impersonated in credential phishing attack.
N2K logoJan 31, 2023

Armorblox researchers discuss a new attack leveraging DocuSign’s legitimacy for credential harvesting.

DocuSign impersonated in credential phishing attack.

Cybersecurity startup Armorblox released a blog this morning detailing a new phishing campaign in which the hackers purport to be from DocuSign in an attempt to harvest credentials.

About the DocuSign phish.

The campaign begins with an email appearing to originate from DocuSign, with the subject line reading “Please DocuSign: Approve Document 2023-01-11.” The phishing email sender name reads “Docusign,” though the email address itself has no connection with DocuSign, nor does the domain. The phish requests the review and signature of a document. If clicked, the “VIEW COMPLETED DOCUMENT” button redirects to a malicious webpage. The page appears to be a Proofpoint login screen, though in actuality, if entered, the login credentials would be harvested.

Techniques used, and caution advised.

The language in the subject line of the email instills a sense of urgency in the victim. Both DocuSign and Proofpoint’s legitimacy were leveraged by the attackers to instill trust in those targeted. The accurate emulation of a DocuSign workflow also increased trust and likelihood of successful interactions for hackers.

Guidance and best practices in navigating phishing attacks and email security.

Armorblox recommends a multifaceted approach to email security; on top of existing email security functionalities, they advise adding layers “that take a materially different approach to threat detection” to your toolkit. Another researcher recommendation is to check emails for cues hinting at social engineering. Stepping back and taking glances at the sender’s email, the sender’s name, and the speech within the email before taking any requested action is advised. Good security hygiene is important, too; multifactor authentication and password manager deployment, along with a unique password not seen on other accounts, can help prevent credential harvesting.

(Added 9:45 AM, February 2nd, 2023. Joe Gallop, Cyber Threat Intelligence Manager at Cofense wrote to explain why this sort of campaign is to be expected. In brief, DocuSign emails tend to get through:

"DocuSign spoofing is common for a reason. DocuSign-themed phishing emails regularly make their way past secure email gateways and into users' inboxes. While the campaign identified by Armorblox shows how DocuSign can be spoofed in mass phishing campaigns (with no personalized information or document content), we've also seen it used in very targeted ways. Recently, we identified a spear-phishing campaign that specifically targeted dozens of executives across multiple industries (but primarily in the insurance industry), asking execs to sign a 'Settlement Agreement' or 'Distribution Agreement,' rather than the generic documents used in untargeted campaigns.

"In even more subversive attacks, threat actors will actually create real DocuSign documents rather than just spoofing DocuSign in an email, in hopes that recipients will let down their guard after reaching the DocuSign domain. The threat actors then place malicious links in the document, leading victims to click through to phishing pages or other malicious resources."

We also heard from Sameer Hajarnis, Chief Product Officer of OneSpan, who places the incident in the larger context of brand impersonation: 

“The latest DocuSign brand impersonation attack is a further example of attackers spoofing popular brands as part of their phishing efforts. For this specific phishing attack, the email was sent from a trusted domain, with “DocuSign” as the sender and the malicious URL was hidden within embedded files. Because of this, the email evaded checks by the email security software. 

"This shows how difficult it is to block phishing emails using security software, as false negatives will always exist. Instead, users need to remain vigilant. These types of attacks also highlight the benefits of white labeling. For digital transactions, white labeling removes the threat of a familiar vendor - such as DocuSign - being impersonated because there is no visible branding associated with them. These social engineering attacks often exploit the trust and familiarity we place in familiar brands. Instead of conditioning users to place trust in this way, we need security-infused workflows native to digital experiences that guarantee the integrity of people, data, transactions, and documentation. 

"The answer rests on authenticating and identifying all involved parties, and unfortunately, companies in the industry continue to fall short in their approach to digital transactions. Until these issues are addressed, individuals and organizations will continue to fall victim to these attacks.”)