A new report from researchers at Armorblox Inc. today warns of a recent malicious email campaign that attempted to trick users into believing the emails were from DocuSign Inc. to steal sensitive login credentials.

The attack was first detected earlier this month, targeting more than 10,000 end users across multiple organizations. While Armoblox detected and blocked the attack among its customers, the attack may have been far more widespread.

The subject of the emails sent in the attack attempt to instill a sense of urgency, reading “Please DocuSign: Approve Document 2023-01-11.” The inclusion of the word approve within the subject line makes the email appear that action is required in a timely manner. To ensure the recipient opened the email, the attacker made it seem like the document being sent through was new and needed review.

The emails appear to be legitimate communication from DocuSign, with the sender name manipulated to say Docusign. However, the email address and domain had no association with the company.

The body of the email used language that made it appear to be legitimately from DocuSign but like many campaigns, the trap was in the link. Within the email, a call-to-action button “view completed document” contained a URL that takes victims to a fake landing page designed to impersonate a Proofpoint Storage application. The victims are then asked to sign in with their Proofpoint ID and, when doing so, ends up sending those credentials straight to the attacker.

“The email attack used language to instill trust and persuade victims to click on the malicious link included within the body of the email and bypassed Microsoft Office 365 (receiving an SCL score of -1) and leading inline secure email gateway security tool, Proofpoint,” the researchers explain. “These native email security layers are able to block mass spam and phishing campaigns and known bad URLs; however, when it comes to unknown links or zero-day attacks, these security layers fall short.”

The researchers recommend that companies should augment native email security with additional controls for better protection against email attacks, whether they’re spear phishing, business email compromise, or credential phishing attacks like this one. Training staff to watch out social engineering cues is also mentioned and companies should always deploy multifactor authentication where possible and use password management software to protect account passwords.

Photo: DocuSign