Phishing emails and Docusign electronic signature

Phishers are forever devising new tricks and finding new services to exploit and impersonate in their phishing campaigns. Today we talk about phishing emails that appear to come from Docusign, the world’s most popular e-signature service.

How Docusign-themed phishing works

The attack begins with an email, typically designed to resemble a legitimate Docusign communication. In this particular scheme, phishers don’t generally bother meticulously forging or masking the sender address, because genuine Docusign emails can originate from any address due to the service’s customization options.

In most cases, the victim is notified that they need to electronically sign a document — usually a financial one — the exact purpose of which isn’t entirely clear from the text of the email.

Example of a phishing email supposedly from Docusign: in this case, the link to the phishing page is located right in the body of the email

In some cases, phishers employ an additional trick we’ve covered in a separate post before: the email contains a PDF attachment with a QR code inside.

Example of a phishing email supposedly from Docusign with a PDF attachment instead of a link

The victim is prompted to scan this QR code — supposedly to access the document for signing. In reality, the QR code leads to a phishing website. This method tricks users into opening the malicious link not on their computers, but on their smartphones — where phishing URLs are harder to detect, and security software might not be installed.

Sometimes the email doesn’t mention Docusign at all. In one version of the PDF-with-QR-code scam, which we recently discussed in a post about spearphishing techniques in mass emails, only inside the PDF is Docusign mentioned.

Another example of a phishing PDF attachment with a link hidden in a QR code

Sometimes the cybercriminals take care to replicate the appearance of a legitimate Docusign email — complete with a security code at the foot of the email:

High-quality fake Docusign email

In some cases, phishers mimic Docusign integration with Microsoft SharePoint:

Example of phishers mimicking Docusign integration with Microsoft SharePoint

And in other cases, scam emails have nothing in common with the genuine ones. Here, for instance, the phishers were too lazy even to add the Docusign logo:

This phishing email doesn’t even have the Docusign logo

In short, the tactics and quality of execution can vary from email to email. However, the core principle remains the same: phishers rely on the recipient not understanding how e-signing with Docusign actually works.

The inattentive victim follows the link (or QR code) to the phishing page and enters their work login credentials, which go straight to the attackers.

Usernames and passwords harvested through successful phishing attacks are often compiled into databases sold on illicit dark web marketplaces, and later used to attack organizations.

How e-signing with Docusign actually works

The actual process of signing a document with Docusign for the regular user is simplicity itself. You receive an email from the party requesting the signature — which contains an unmissable big yellow <em>Review Document</em> button.

A genuine Docusign email looks something like this. Source

Clicking this button redirects you through a unique link to the Docusign website (on the docusign.net domain). The page that opens displays a short message from the initiating party, flanked by a <em>Continue</em> button, similarly large and yellow.

Clicking the button in the email immediately opens the document-signing page at Docusign.com. Source

The document for signing is available immediately — without entering any passwords. You simply review it, maybe add some details (such as name, date, and so on) in the appropriate fields, apply your signature, and click the <em>Finish</em> button (which is — you guessed it — also big and yellow). All done. No further actions required.

Now for what Docusign will NEVER do:

• Send a PDF attachment with a link to a document to be signed. Bona fide Docusign notifications have no attachments, and display the <em>Review Document</em> button directly in the body of the email.
• Give you no choice but to scan a QR code. Docusign works on both mobile devices and computers, so a link is always provided to access the document — not a QR code.
• Require you to enter work login credentials. All the information Docusign needs is contained within the unique link sent in the email, so regular users aren’t required to undergo authentication to sign a document.
• Force you to register with or log in to Docusign. After you sign the document, Docusign might suggest creating an account, but it’s entirely optional.

Remember that the whole purpose of Docusign is to make it as easy as possible for companies and individuals to exchange electronically-signed documents.

Any additional steps or restrictions — such as creating an account, entering credentials, opening attachments, or using only a smartphone to sign — go against this principle. Therefore, Docusign asks for none of this and strives to make the signing process as quick and simple as possible.

How to guard against phishing

To protect your organization from phishing attacks that impersonate Docusign or other popular services, consider the following measures:

• Filtering out suspicious and unwanted email at the gateway level — our comprehensive solution Kaspersky Security for Mail Servers will do this for you.
• Protecting endpoints from phishing redirects with Kaspersky Small Office Security or Kaspersky Next — depending on the size of your organization.
• Raising employee awareness of cyberthreats with specialized training. Such training is easy to deliver using our educational Kaspersky Automated Security Awareness Platform.