{"id":23409,"date":"2024-10-14T16:13:03","date_gmt":"2024-10-14T12:13:03","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/docusign-phishing-emails\/23409\/"},"modified":"2024-10-14T16:13:21","modified_gmt":"2024-10-14T12:13:21","slug":"docusign-phishing-emails","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/docusign-phishing-emails\/23409\/","title":{"rendered":"Phishing emails and Docusign electronic signature"},"content":{"rendered":"

Phishers are forever devising new tricks and finding new services to exploit and impersonate in their phishing campaigns. Today we talk about phishing emails that appear to come from Docusign, the world\u2019s most popular e-signature service.<\/p>\n

How Docusign-themed phishing works<\/h2>\n

\nThe attack begins with an email, typically designed to resemble a legitimate Docusign communication. In this particular scheme, phishers don\u2019t generally bother meticulously forging or masking the sender address, because genuine Docusign emails can originate from any address due to the service\u2019s customization options.<\/p>\n

In most cases, the victim is notified that they need to electronically sign a document \u2014 usually a financial one \u2014 the exact purpose of which isn\u2019t entirely clear from the text of the email.<\/p>\n

\"Docusign-themed<\/a>

Example of a phishing email supposedly from Docusign: in this case, the link to the phishing page is located right in the body of the email<\/p><\/div>\n

In some cases, phishers employ an additional trick we\u2019ve covered in a separate post<\/a> before: the email contains a PDF attachment with a QR code inside.<\/p>\n

\"Another<\/a>

Example of a phishing email supposedly from Docusign with a PDF attachment instead of a link<\/p><\/div>\n

The victim is prompted to scan this QR code \u2014 supposedly to access the document for signing. In reality, the QR code leads to a phishing website. This method tricks users into opening the malicious link not on their computers, but on their smartphones \u2014 where phishing URLs are harder to detect, and security software might not be installed.<\/p>\n

Sometimes the email doesn\u2019t mention Docusign at all. In one version of the PDF-with-QR-code scam, which we recently discussed in a post about spearphishing techniques in mass emails<\/a>, only inside the PDF is Docusign mentioned.<\/p>\n

\"Yet<\/a>

Another example of a phishing PDF attachment with a link hidden in a QR code<\/p><\/div>\n

Sometimes the cybercriminals take care to replicate the appearance of a legitimate Docusign email \u2014 complete with a security code at the foot of the email:<\/p>\n

\"Docusign-themed<\/a>

High-quality fake Docusign email<\/p><\/div>\n

In some cases, phishers mimic Docusign integration with Microsoft SharePoint:<\/p>\n

\"Mimicking<\/a>

Example of phishers mimicking Docusign integration with Microsoft SharePoint<\/p><\/div>\n

And in other cases, scam emails have nothing in common with the genuine ones. Here, for instance, the phishers were too lazy even to add the Docusign logo:<\/p>\n

\"Phishing<\/a>

This phishing email doesn\u2019t even have the Docusign logo<\/p><\/div>\n

In short, the tactics and quality of execution can vary from email to email. However, the core principle remains the same: phishers rely on the recipient not understanding how e-signing with Docusign actually works.<\/p>\n

The inattentive victim follows the link (or QR code) to the phishing page and enters their work login credentials, which go straight to the attackers.<\/p>\n

Usernames and passwords harvested through successful phishing attacks are often compiled into databases sold on illicit dark web marketplaces, and later used to attack organizations.<\/p>\n

How e-signing with Docusign actually works<\/h2>\n

\nThe actual process of signing a document with Docusign for the regular user is simplicity itself. You receive an email from the party requesting the signature \u2014 which contains an unmissable big yellow Review Document<\/em> button.<\/p>\n

\"Genuine<\/a>

A genuine Docusign email looks something like this. Source<\/a><\/p><\/div>\n

Clicking this button redirects you through a unique link to the Docusign website (on the docusign.net domain). The page that opens displays a short message from the initiating party, flanked by a Continue<\/em> button, similarly large and yellow.<\/p>\n

\"Document-signing<\/a>

Clicking the button in the email immediately opens the document-signing page at Docusign.com. Source<\/a><\/p><\/div>\n

The document for signing is available immediately \u2014 without entering any passwords. You simply review it, maybe add some details (such as name, date, and so on) in the appropriate fields, apply your signature, and click the Finish<\/em> button (which is \u2014 you guessed it \u2014 also big and yellow). All done. No further actions required.<\/p>\n

Now for what Docusign will NEVER do:<\/p>\n