The TorchLight Security Operations Center has seen a massive increase in fake Docusign phishing emails since Monday of this week. While these threat vectors has been in use since early 2024, the massive rise in attacks this week is real. At this point, consider all Docusign emails to be hostile and must be carefully reviewed to ensure they are legitimate.
There are some telltale signs to determine if your contract platform and documents are legitimate:
Signs that your Docusign Email is fake
- The document / email is unexpected.
- Misspellings on the reply-to domain. docu-sign.net or docsign.com for example. The correct domains for Docusign are docusign.com and docusign.net.
- Generic greetings is another red flag. Typically Docusign documents will have a first name or business name introduction.
- A high sense of urgency. “Your account will be terminated if you don’t act by…”
- Bad grammar, punctuation and mis-spellings.
- A legitimate Docusign will come from docusign.com or docusign.net, will have a reply-to with ONLY docusign.com or docusign.net and it will contain links that lead to docusign.com or docusign.net domains.
- A legitimate Docusign will not contain attachments
- A legitimate Docusign will not have a QR code (QR codes are used by the threat actors because they are hoping that you will move to mobile as security is generally looser on mobile than on a laptop or desktop computer).
- If you are redirected to a login page after clicking a Docusign email link, exercise an extremely high amount of caution before inputting credentials. These types of attacks work because they appear authentic on first glance. But a deeper dive into the full URL and a healthy dose of skepticism will keep your digital life safe and secure.
What’s Happening?
Docusign’s API (and others) is being used extensively by threat actors due to it’s ease of registration and lack of enforcement around what is being sent out, especially around sender addresses that are clearly intending to closely resemble the Docusign domain. Given Docusign’s trusted status as an industry leading contracting provider, and that these emails do originate from a trusted source, these emails will continue to land in your inbox. In addition, we’ve also seen these types of emails originate from survey and opinion gathering tools utilizing the same methods that they use with the Docusign platform.
An email we received on Wednesday from one of our customers. Note the reply-to email address at the top of the image is close, but not the legitimate surveymonkey.com domain.
