DocuSign Phishing Campaign

Proofpoint discovered an active DocuSign phishing campaign targeting specific individuals at various organizations since late July. Stolen DocuSign branding and visual elements are used in the phishing emails and direct victims to fraudulent landing pages hosted at Amazon Web Services (AWS) public cloud storage (S3) and other public cloud infrastructure. A closer review of the source code of the landing pages reveals the encoding and variable names change with each deployment of the landing page to evade detection. This multibyte XOR obfuscation encoding technique was also analyzed by Proofpoint researchers in February 2016. The NJCCIC recommends users refrain from clicking on links or opening attachments delivered with unexpected or unsolicited emails, including those from known senders. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. If credential compromise is suspected, users are advised to change credentials across all accounts that used the same login information and enable multi-factor authentication where available. For more technical details, please review the Proofpoint post.