DocuSign abused to launch devious phishing scams

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock)

Cybersecurity researchers have discovered a new attack, in which malicious users spoof DocuSign messages to send malicious documents and phishing links.

Previously, hackers have exploited the trust users associate with DocuSign to pass around fake phishing emails, to pilfer user credentials from all major email providers.

DocuSign is an electronic signature technology used by businesses and individuals to exchange contracts, tax documents and legal materials.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The threat actors behind this new wave of phishing attacks, discovered by email security vendor Avanan, are using this legitimate application to pass malicious links.

“E-signature providers such as DocuSign and Adobe Sign typically flatten uploaded document files and convert them into static .pdf files. This does help deter threats such as Macros from being embedded in the document. However, hyperlinks within a .pdf, .docx, etc., get carried on in the document and retain clickability to the end recipients after Signing execution,” explains Avanan’s Jeremy Fuchs in a blog post.

Abusing trust

Avanan explains that although DocuSign has implemented various security measures to prevent malicious documents from being hosted on its infrastructure, a trailblazing attacker could use mechanisms like steganography to override the checks and deliver “a weaponized piece of malware or ransomware.”

Furthermore, Avanan discovered that while embedding booby-trapped files does take some doing, malicious links can be added to any document without any effort or trick.

In his writeup Fuchs argues that this is a particularly effective strategy since it hosts the phishing link on DocuSign’s servers, while keeping the email clean, which helps it get past any security checks imposed by the client clients.

Fuchs notes that Avanan has shared details about this attack vector with the DocuSign information security and threat intelligence team.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.