Fake DocuSign Emails: Don’t Get Hooked by Phishing Scams

### #DocuSignDeception #PhishingExploits #CredentialTheft

Summary: Cybersecurity researchers have identified a rise in phishing attacks targeting DocuSign users, leveraging the platform’s trust to steal sensitive credentials. These attacks often utilize compromised email accounts and sophisticated tactics to appear legitimate, posing significant risks to individuals and businesses.

Threat Actor: Unknown | unknown
Victim: DocuSign Users | DocuSign Users

Key Point :

  • Phishing emails often mimic legitimate DocuSign communications, urging users to click malicious links.
  • Compromised Japanese email accounts are frequently used to bypass spam filters and enhance credibility.
  • Malicious scripts in phishing emails execute checks to redirect users to fake login pages, including a Google Workspace interface.
  • Stolen credentials can lead to Business Email Compromise (BEC) scams or be sold on underground marketplaces.
  • Experts advise caution with unsolicited DocuSign emails, especially those requesting urgent actions.

Cybersecurity researchers from Cado Security Labs have uncovered a troubling trend of phishing attacks targeting DocuSign users. These campaigns exploit the trust and convenience associated with electronic signature platforms to deceive individuals into divulging sensitive credentials.

DocuSign phishing attacks often masquerade as legitimate emails, complete with official branding and formats that closely mimic genuine DocuSign communications. Typically, the emails claim a document is awaiting the recipient’s signature, urging them to click a link to access it. However, this link redirects users to malicious websites designed to steal their credentials.

As the report notes, “Frequently, DocuSign phishing campaigns will use legitimate compromised email accounts to send the phishing emails, in an effort to pass Domain Messaging Authentication Record and Conformance (DMARC) checks.” One alarming trend involves the use of compromised Japanese business emails, which are less likely to trigger spam filters compared to domains from regions like Nigeria or Russia.

The report delves into technical details of a recent phishing campaign. One email, with the subject line “BIYH-QPVSW-3617 is ready for your review,” appeared to originate from a Japanese domain, @anabuki-enter.co.jp. It contained a “Review Document” button that linked to a legitimate marketing service, possibly used to track user interactions before redirecting to a phishing site. Another email thread included a legitimate exchange between companies to increase its authenticity, ultimately leading victims to a malicious website hosting obfuscated JavaScript code.

The malicious script utilized base64 encoding to execute various checks and comparisons, ultimately redirecting users to a fake login page designed to steal credentials. One such page even included a Google Workspace login interface with a CAPTCHA check to enhance credibility.

DocuSign phishing campaigns are not isolated incidents but a systemic issue. The credentials stolen in these attacks can be used for Business Email Compromise (BEC) scams or sold on underground marketplaces. As highlighted in the report, “Threat actors on marketplaces sell phishing templates for various services, including DocuSign and Office365, to be used in business-to-business (B2B) scams.”

Tara Gould from Cado Security Labs underscores, “To protect against such phishing attempts, it is crucial to be cautious when receiving unsolicited DocuSign emails, especially when they ask for urgent action.”

Related Posts:

Source: https://securityonline.info/fake-docusign-emails-dont-get-hooked-by-phishing-scams