Full Report
Cybercriminals impersonate the trusted e-signature brand and send fake Docusign notifications to trick people into giving away their personal or corporate data
Analysis Summary
# Tool/Technique: Docusign Phishing Campaigns
## Overview
These campaigns involve cybercriminals leveraging the brand recognition and user trust associated with Docusign, an e-signature service provider, to distribute phishing emails. The goal is typically to harvest corporate credentials, sensitive personal/financial data, or trick users into initiating unauthorized financial transactions via spoofed invoices.
## Technical Details
- Type: Technique (Social Engineering/Phishing)
- Platform: Email, Web (Phishing pages), Mobile (via QR codes)
- Capabilities: Brand impersonation, deployment of deceptive links/attachments, credential harvesting, financial fraud (BEC precursors).
- First Seen: Ongoing/Specific campaigns mentioned as emerging "over the past few months" relative to the article date (May 27, 2025).
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
## Functionality
### Core Capabilities
- **Email Spoofing:** Sending emails that appear to originate from the Docusign platform or entities using Docusign.
- **Deceptive Calls to Action:** Using urgent language (e.g., "review document") often associated with a large yellow button click.
- **Credential Harvesting:** Directing victims to fake login pages (e.g., spoofed Microsoft login pages) to capture credentials.
### Advanced Features
- **QR Code Delivery:** Embedding QR codes in emails, forcing mobile users (who may lack PC-level security tools) to scan, leading them to malicious sites.
- **API Abuse:** Attackers register real Docusign accounts and use the legitimate APIs to send authentic-looking envelopes spoofing known brands at scale.
- **Invoice/Payment Fraud:** Impersonating suppliers or municipal agencies in spoofed invoices, aimed specifically at tricking companies into wiring money.
- **Refund Scams:** Posing as refund notifications, coercing victims to call a number where they are tricked into providing financial details.
## Indicators of Compromise
- File Hashes: N/A (Primary mechanism is links/web pages, though some variants use attachments).
- File Names: N/A (Variable based on the document being spoofed).
- Registry Keys: N/A
- Network Indicators: Phishing sites impersonating Microsoft login pages or other financial portals. **(Note: Specific URLs are defanged per instructions.)**
- Behavioral Indicators: Emails promoting clicking a link or scanning a QR code to access an initial Docusign service envelope; lack of a security code in the initial email body.
## Associated Threat Actors
- Opportunistic Cybercriminals.
- Threat actors targeting corporate credentials and financial fraud (Business Email Compromise related).
## Detection Methods
- Signature-based detection: Detecting known malicious URLs/domains associated with the phishing infrastructure.
- Behavioral detection: Analyzing email content for common Docusign phishing themes (e.g., "review document," fake invoices) and detecting navigation to credential harvesting sites.
- YARA rules: Potentially developing rules to flag emails containing specific malicious embedded QR code data structures or unusual header characteristics associated with the spoofing.
## Mitigation Strategies
- **Security Awareness Training:** Update programs to specifically teach employees how to spot Docusign scam email signs: checking destination URLs by hovering, verifying security codes are present (or bypassing links entirely via the official Docusign site), inspecting for spelling/grammar errors, and verifying sender details.
- **Multi-Factor Authentication (MFA):** Implement MFA across all corporate accounts to limit the impact of harvested credentials.
- **Security Software:** Utilize multi-layered security tools that can detect malicious attachments and prevent navigation to known phishing sites.
- **Policy Enforcement:** Implement strict policies against opening attachments or following links in unsolicited emails; mandate accessing services like Docusign only via security codes or direct site navigation.
- **Process Hardening:** Introduce extra scrutiny and verification steps for large fund transfers, even when initiated via seemingly legitimate communications.
- **Reporting:** Encourage users to report suspicious emails to internal IT/Security teams and to **spam[at]docusign[dot]com**.
## Related Tools/Techniques
- General Phishing Campaigns (T1566)
- Business Email Compromise (BEC) techniques (when targeting fund transfers).
- Brand Impersonation.