Cybercriminals Exploit Docusign with Customizable Phishing Templates

Cybercriminals are abusing Docusign by selling customizable phishing templates on cybercrime forums, allowing attackers to steal credentials for phishing and business email compromise (BEC) scams.
May 15, 2024

Over the past month, we've noticed a surge in Docusign phishing emails targeting our customers. To further investigate this issue, we took one of the recent attacks stopped by Abnormal and searched for it on cybercrime forums and networks. Eventually, we discovered an identical template being distributed on a Russian cybercrime forum.

Docusign Attacks On The Rise

Phishing attacks exploiting Docusign have witnessed a concerning uptick. These fraudulent emails, meticulously designed to mimic legitimate document signing requests, lure unsuspecting recipients into clicking malicious links or divulging sensitive information. The recent rise in these attacks can be attributed to several factors, including the widespread adoption of the platform across various industries, its trusted reputation, and, most significantly, the increasing sophistication of cybercriminal tactics.


Example of a Docusign phishing email

How Cybercriminals Are Exploiting Docusign

Sophisticated cybercriminals are leveraging the anonymity of the dark web to trade Docusign templates, a disturbing trend that underscores the evolving nature of digital fraud. These templates closely resemble authentic Docusign documents and are sold to facilitate a range of malicious activities, including phishing attacks, identity theft, and financial fraud.

When we searched cybercrime forums and networks for Docusign templates similar to the ones used in attacks targeting Abnormal customers, we discovered the following thread on a Russian cybercrime forum.


A Docusign phishing template being shared on a cybercrime forum

Further down in the thread, it was revealed that the user was offering custom template modifications for a fee. They also posted a template for DHL and promised not to resell the templates if ordered. Browsing the user's profile revealed little information, except for a strong interest in spamming activities, which did not lead us anywhere. However, searching for similar templates on the cybercrime forum and other networks revealed that a large number of these templates are readily available for purchase.


Multiple phishing templates being shared on a cybercrime forum

Why Do Cybercriminals Want Docusign Templates?

When launching a phishing campaign, cybercriminals prioritize authenticity in order to maximize success. They have two options: buy templates from reputable sellers on cybercrime forums or sign up for the targeted service (such as Docusign) to get genuine templates directly. However, both options pose unique challenges.

Purchasing templates from reputable sellers saves time and effort, but the seller must be able to accurately replicate the template while maintaining exclusivity. Obtaining templates directly from the targeted service, on the other hand, ensures authenticity but takes time, necessitates manual replication, and poses a risk to the cybercriminal's privacy.

Many cybercriminals lack the technical proficiency required to create convincing phishing templates from scratch. Purchasing ready-made templates is a practical solution that allows them to concentrate their efforts on carrying out the phishing campaign rather than devoting valuable resources to template creation.


Phishing products and letters sold in bulk for cybercriminals

Cybercriminals frequently launch multiple phishing campaigns at the same time, focusing on different vendors and services. Creating a unique template for each target would be extremely resource-intensive. Instead, cybercriminals can streamline their operations and increase their profits by purchasing templates in bulk or outsourcing their creation.

What Do Cybercriminals Do With Stolen Docusign Credentials?

Cybercriminals are usually secretive about their operations, but some online chatter reveals how they make money by using stolen Docusign credentials obtained through phishing campaigns. The most popular method appears to be business email compromise (BEC)—this usually involves a few steps.


A cybercriminal looking for US partners for a Docusign BEC fraud scheme

First, cybercriminals buy stolen Docusign logins on cybercrime forums and networks for as little as $10, gaining access to a company's account. Then, they carefully review all of the stored files, looking for contracts, vendor agreements, and upcoming payment information. This helps them figure out who to target and how to make their scams appear legitimate. In addition, they look for any information that could be used to blackmail the company.

Using the information gathered, the scammers impersonate the company they hacked and send fake emails to the company's business partners, requesting that they transfer funds to a different account controlled by the cybercriminals. To make these emails appear even more legitimate, scammers frequently attach fake contracts via the hacked Docusign account, timing these emails around when real payments are due to make the fraud more difficult to detect.

If the scam is successful, large payments intended for legitimate vendors are diverted to cybercriminals instead, potentially earning them hundreds of thousands of dollars from a single successful business-to-business (B2B) payment scam. Hacked Docusign accounts are also a goldmine for corporate espionage, as cybercriminals can profit handsomely by selling information about upcoming mergers, financial records, client lists, and other sensitive data to other entities.

Many documents stored in Docusign contain sensitive and confidential information. If cybercriminals discover this type of data while snooping, they may resort to blackmailing the company by threatening to release the information publicly unless a large ransom is paid. This puts businesses in a difficult situation, forcing them to either pay up or risk reputational harm and legal trouble.

5 Ways To Detect a Docusign Phishing Email

To protect yourself from falling victim to Docusign phishing scams, keep an eye out for these key indicators:

  1. Check the sender's email address: Authentic Docusign emails always originate from the domain. Be wary of generic greetings or incorrect spelling and grammar.

  2. Watch out for impersonal greetings: Phishing emails frequently use generic salutations, whereas legitimate Docusign emails address you by name.

  3. Verify the security code format: Docusign security codes are long and complex, like EA66FBAC95CF4117A479D27AFB9A85F01. Short or simple codes likely indicate a phishing attempt.

  4. Inspect links before clicking: Hover over links to see their destination URLs. Genuine Docusign links go directly to Be wary of emails that include Google Docs/Drive links or attachments.

  5. Use Docusign's secure document access: Instead of clicking links in suspicious emails, go directly to, click "Access Documents," and enter the security code provided at the bottom of Docusign emails.

If you are unsure about the authenticity of a Docusign email, contact the intended sender via a different, trusted communication channel to confirm before proceeding. When it comes to protecting your sensitive information and devices from phishing attempts, it's always a good idea to be on the safe side.

How to Prevent BEC Attacks Resulting from Docusign Phishing

In addition to keeping an eye out for key indicators, organizations must implement an advanced security solution to stay one step ahead of sophisticated attackers. The Abnormal platform leverages AI and machine learning to effectively shield your organization from advanced phishing attacks, like those carried out using compromised Docusign templates, and the subsequent risk of business email compromise (BEC). Through contextual and behavioral analysis, Abnormal scrutinizes email communication patterns, detecting anomalies that are indicative of BEC tactics such as spoofing, impersonation, and social engineering, enabling organizations to intervene before any damage occurs.

By proactively identifying and neutralizing BEC threats, Abnormal strengthens organizations' defenses against these types of targeted attacks exploiting legitimate services like Docusign.

Interested in learning more? Schedule a demo today to find out how we can help you.

Schedule a Demo
Cybercriminals Exploit Docusign with Customizable Phishing Templates

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B travelscams
Cybercriminals exploit stolen financial data to offer consumers heavily discounted travel deals. Learn how these email scams work and tips to avoid falling victim to them this summer travel season.
Read More
B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More