A new report out today from cybersecurity company Forcepoint LLC’s X-Labs research team has uncovered a spike in holiday-themed phishing activity that blends impostor Docusign credential harvesting with deceptive loan offer spam that creates a threat for both corporate and consumer targets.

The Christmas Docusign-themed phishing campaign abuses the Docusign brand to entice users into clicking fake “Review Document” links that promise access to completed transaction notices.

The X-Labs researchers observed attackers sending fake Docusign messsages from domains such as jritech.shop that include legitimate-looking Docusign branding while routing recipients through disposable hosting networks like Fastly, Glitch and Surge.sh. Once potential victims click through, they eventually land on a credential-harvesting page designed to steal corporate email logins.

Red flags in the phishing emails include mismatched sender domains, infrastructure unrelated to Docusign’s legitimate networks and opaque URL redirects behind the fake review document call-to-action buttons. The campaign then layers on top of the phishing emails holiday loan spam that preys on seasonal financial stress. The messages range from fake “Xmas loan” pitches to more sophisticated bulk email campaigns that mirror legitimate marketing traffic.

One variant was found to funnel unsuspecting recipients to sites like christmasscheercash.com, where victims are guided through a seemingly benign loan application that steadily escalates into a structured identity data request. Before long, applicants are asked for deeply personal information, such as financial and bank details, that feeds directly into identity theft ecosystems

The attackers do not stop there, however. Even upon stealing information from a victim, the victim is then redirected to another similar loan-themed site that requests similar information and includes links to additional spam loan offers.

The dual pattern is particularly insidious given how both elements exploit emotional triggers unique to the holiday season, including urgency, financial pressure and routine business tasks. Where one attack vector aims to breach corporate environments, the other seeks high-value personal data at scale.

“These campaigns are effective because they mimic normal end-of-year workflows: reviewing documents, responding to marketing offers and resolving budget gaps,” the X-Labs researchers wrote.

The report concludes by making recommendations on how to protect against such phishing attacks.

Organizations are advised to treat all Docusign-themed emails as untrusted until they are explicitly validated by checking sender domains and inspecting the actual destination behind embedded buttons before clicking, while also flagging messages that route users through unrelated infrastructure or disposable hosting platforms such as Fastly, Glitch or Surge.sh instead of expected service domains.

Loan offers originating from unknown senders, free email accounts or messages with mismatched reply-to domains should be considered high-risk. Security teams should monitor for marketing-style tracking links that unexpectedly pivot users toward nonmarketing outcomes such as identity questionnaires or personal and financial data collection.

Image: SiliconANGLE/Ideogram