Hackers launch phishing attack disguised as DocuSign document

(Image credit: wk1003mike / Shutterstock)

Hackers are turning to disguising phishing attacks as legitimate DocuSign documents in order to steal user credentials from all major email providers.

The Cofense Phishing Defense Center has identified a new wave of phishing attacks, disguised as an email from DocuSign.

The attack begins when a user receives an email that appears to be from DocuSign as it includes its actual logo and the content of the message is similar to real emails sent from the company. However, the first line of the message does not contain the recipient's name and simply says “Good day”.

From the email header, Cofense was able to determine that the threat source originates from the domain narndeo-tech.com. This domain belongs to Hetzner Online GmbH which is a well-known web hosting company based in Germany.

DocuSign is an electronic signature technology that is used by businesses and individuals to exchange contracts, tax documents and legal materials. The threat actors behind this new wave of phishing attacks are using this legitimate application to trick users into handing over their credentials.

Phishing for credentials

Looking deeper into the emails, Cofense's researchers found an embedded hyperlink that redirects to a phishing page which gives six separate options for users to enter their credentials to access the DocuSign document.

The threat actors recreated login pages for Office 365, Gmail, Microsoft Outlook, Yahoo!, AOL and Apple iCloud which appear quite similar to the real thing to trick users into handing over their login details. However, cautious users could be made aware of the scheme by looking at the URLs of these pages as they are not legitimate.

To prevent falling victim to the DocuSign phishing attack and others like it, Cofense recommends that all users should be cautious when an email instructs them to provide their credentials.