We’ve all seen the plethora of fake DocuSign email attacks over the past many months. These were all easily defeated by copying the Document ID number from the email then going to docusign.com, clicking on Access Documents, then pasting in the Document ID number. Or, if you have a DocuSign account, log into that to look at your queue.

As ever, the attacks have evolved, and we have just seen an example of a credential phishing attack inside a legitimate DocuSign! In this attack, a genuine DocuSign (presumably from a compromised DocuSign account) is sent in an email. The recipient then uses the Document ID or looks in the DocuSign account to open the document.

Once the document is opened in the DocuSign window the document says it is encrypted by Microsoft and provides a link to “sign-in” to Microsoft, at which point it is a conventional credential/2fa phishing attack.

Surprisingly, DocuSign isn’t checking for viruses and attacks inside DocuSign envelopes, so we all need to be extremely careful even within a DocuSign, and don’t click on anything unless you have confirmed the sender by phone call and are convinced that the document is something you need to access and sign.

As a smart, tech-savvy, busy person you are extremely vulnerable to these kinds of attacks. Please keep your paranoia level set to 11.


Share this blog: