DocuSign Phishing

In this attack, attackers impersonate a notification from DocuSign in order to steal those credentials from employees.

Quick Summary

  • Platform: Microsoft Office 365
  • Mailboxes: 15,000 to 50,000
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation Email

What was the Attack?

  • Setup: DocuSign is a platform that provides secure electronic document signing, and, of course, this means that important business documents will be in the system. As people are working from home in response to the current pandemic, DocuSign has become a vital tool for safe online document signing.
  • Email Attack: The attacker sent an email impersonating an automated email from Docusign, copying the content used by real emails from this company. The email claims that there is a document sent to the user for review from “CU #COVID19 Electronic Documents”, with no further details of what the document is.
  • Payload: The payload link is hosted via three main redirects: the first is a sendgrid redirect, then via two compromised websites.  The attack contains these link redirects in order to confuse their victims, and to bypass simple URL detection in emails that aren’t able to crawl numerous redirects. The final website hosts a fake DocuSign login page to steal user credentials.
  • Result: Should recipients fall victim to this attack, their login credentials to their DocuSign account as well as the business email account associated with that account would be compromised. Sensitive information stored on these accounts are at risk as well.

Why is this attack effective?

  • COVID-19: We’ve seen a large increase in COVID-19 related attack campaigns over the past few months. In some cases, attackers are launching the same previously seen attacks, with one key difference: coronavirus-related vocabulary. The attacker is using the current pandemic in order to incite more engagement from the end-user.
  • Concealed URL: The URL is wrapped in text in the email body, and sent via a SendGrid Link. By hiding the URL, the user must click on the link to figure out where the link goes.
  • Convincing Email and Landing Page: The attack impersonated DocuSign and included official images used by the company. The email had many embedded links in the email, some of which led to authentic DocuSign webpages. If not careful, one could believe the email was safe because many aspects of the email looked authentic. However, as we saw, the email contained a malicious URL that hosted a DocuSign phishing credentials webpage.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.

Related content