Security Intelligence -
Phishing: Attackers Use DocuSign to Send Malicious Links
Attackers are abusing the electronic agreement management company DocuSign to send phishing links and documents.
Inside the Phishing Attempt
First, a malicious actor registers a free account with DocuSign or compromises another user’s account. They then upload a file to the account.
Next, the attacker sends a DocuSign envelope to their target. The recipient, in turn, receives an email invitation from DocuSign. It prompts them to review and sign an electronic document by clicking on a hyperlinked ‘View Document’ button.
The email evades detection because it’s technically clean. DocuSign’s servers host the phishing link, thus allowing it to successfully land in a recipient’s inbox.
The process for signing a document is the same as with a legitimate file. The only difference is that clicking on the link redirects the recipient. They land on a phishing site designed to steal their login credentials for Dropbox, Microsoft and other services.
This technique works because PDFs, Word documents and other types of files in DocuSign retain their clickability up through the finished page. (DocuSign converts other types of uploaded document files into static PDFs