DocuSign Phishing Campaigns

Summary

DocuSign is a platform that provides secure electronic document signing, especially for important business documents. The NJCCIC’s email security solution has identified and blocked multiple phishing campaigns, including those impersonating a notification from DocuSign with the intent to steal user credentials. The phishing email contains content and images of real emails from DocuSign, in an effort to appear legitimate to the recipient. The notification appears to be sent from “DocuSign” with a button to view the document that, if clicked, ultimately redirects the user to a spoofed DocuSign login page used to capture DocuSign credentials and the business email address associated with that account. Similar tactics and techniques are using the same layout with “Please DocuSign:” and keywords such as “contract” or “agreement” in the subject line, and the message appears to be from a specific person requesting the recipient to sign the document. Other sources have reported DocuSign phishing campaigns with COVID-19 themes, including COVID-19 Electronic Documents and US Department of Labor FMLA documents attempting to deliver TrickBot.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to avoid clicking links, opening attachments, or providing personal or financial information in response to emails from unknown senders and exercise caution with emails from known senders. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication.