Phishing Campaign Masquerading as DocuSign Notifications Designed to Steal Email Account Credentials

On Monday, the NJCCIC detected a credential phishing campaign attempting to deliver malicious emails masquerading as fraudulent DocuSign notifications. The body of the email suggests there are documents that require a signature and attempts to entice the recipient into clicking an embedded link or opening an attachment. If either of these actions are completed, the recipient is taken to a compromised website where he or she is lured into entering email account credentials in order to view and sign the supposed documents. It gives the recipient the option of logging in using one of the following accounts: Gmail, Outlook, Yahoo!, and AOL. It also provides an option to log in with an account not listed on the phishing website’s landing page. If account credentials are submitted, they are sent to the hacker or group behind the campaign who can then use the credentials to log into the recipient’s email accounts as well as any other accounts linked to, or associated with, that email addresses. Additionally, the hackers can use the compromised account to further perpetuate the phishing scheme to that person’s contact list to create the illusion that the emails are legitimate. As this campaign has initially managed to bypass some email security filters, the NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, be sure to have them proactively change the passwords to their accounts as well as any account associated with those email addresses and enable two-factor authentication, if available. More information about this specific threat, including how to determine if a DocuSign email is legitimate, is available on the DocuSign Trust Center website.

AlertNJCCICCampaign, Phishing, DocuSign