DocuSign abused to launch devious phishing scams

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock )
Audio player loading…

Cybersecurity (opens in new tab) researchers have discovered a new attack, in which malicious users spoof DocuSign (opens in new tab) messages to send malicious documents and phishing (opens in new tab) links.

Previously (opens in new tab), hackers have exploited the trust users associate with DocuSign to pass around fake phishing emails, to pilfer user credentials from all major email providers (opens in new tab).

DocuSign (opens in new tab) is an electronic signature technology used by businesses and individuals to exchange contracts, tax documents and legal materials.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window (opens in new tab) <<

The threat actors behind this new wave of phishing attacks, discovered by email security vendor Avanan, are using this legitimate application to pass malicious links.

“E-signature providers such as DocuSign and Adobe Sign (opens in new tab) typically flatten uploaded document files and convert them into static .pdf files. This does help deter threats such as Macros from being embedded in the document. However, hyperlinks within a .pdf, .docx, etc., get carried on in the document and retain clickability to the end recipients after Signing execution,” explains (opens in new tab) Avanan’s Jeremy Fuchs in a blog post.

Abusing trust

Avanan explains that although DocuSign has implemented various security measures to prevent malicious documents from being hosted on its infrastructure, a trailblazing attacker could use mechanisms like steganography to override the checks and deliver “a weaponized piece of malware (opens in new tab) or ransomware (opens in new tab).”

Furthermore, Avanan discovered that while embedding booby-trapped files does take some doing, malicious links can be added to any document without any effort or trick.

In his writeup Fuchs argues that this is a particularly effective strategy since it hosts the phishing link on DocuSign’s servers, while keeping the email clean, which helps it get past any security checks imposed by the client clients.

Fuchs notes that Avanan has shared details about this attack vector with the DocuSign information security and threat intelligence team.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.