Sophisticated new phishing attack impersonates DocuSign

e-signature tablet

The use of electronic signatures has become commonplace for many business transactions, cutting out the need for face-to-face meetings and couriering documents.

This though makes the signing process an attractive target for cybercriminals. Researchers at Armorblox have uncovered a sophisticated credential phishing attack impersonating e-signature leader DocuSign.

The attack employs a range of techniques to target businesses and it replicates a business workflow familiar to many industries — signing and reviewing contracts — and spoofs the address and subject line of a legitimate email related to e-signatures.

After clicking the link in the email, the user is presented a pixel perfect match of a valid DocuSign overview landing page complete with a ‘View completed document’ button and call to action. Adding to the ruse, the page contains language imitating that of a legitimate DocuSign preview page cautioning the user about sharing sensitive information and alternative signing methods.

On clicking the button targets are presented with a Microsoft login page — commonly used as a single sign-on tool for accessing hosted applications. A watermarked view of the document is also displayed to trick the user into believing that they are only one step away from viewing it.

The emails also evade phishing protection by appearing to come from a trusted sender. An example seen by Armorblox shows that the attackers understand the business workflow and aim to intercept the end user across a common business practice for the target company.

You can find out more and see tips to prevent your business from falling victim to these attacks on the Armorblox blog.

Image credit: monkeybusiness/

Author: Martha Meyer