Cofense - Security Awareness Training & Email Threat Detection

Phishing Campaign Utilizes DocuSign to Counter Security Controls

Share This Article

By Cobi Aloia, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) continues to see phish exploiting DocuSign to leverage vulnerabilities in traditional security technologies. The problem with using secure email gateways to mitigate threats hidden in domains such as DocuSign is that the domains are considered safe and are, therefore, not flagged as being malicious. This brings up further cause for concern as many employees also recognize DocuSign as being a trustworthy platform (and they would be right) but threat actors are stealthily utilizing this service as a means for delivering phish. The PDC has observed approximately 200 unique phish taking advantage of DocuSign for malicious links, with at least half of those including phishing pages hosted on the domain “glitch[.]me.” In addition, the PDC has seen similar phishing links on numerous other e-signature platforms such as Adobe, PandaDoc, PdfFiller and more. It’s an issue, and a relevant factor, vis-a-vis threat mitigation and deterrence.

Graphical user interface, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, the body of this email appears to be legitimate since the threat actor used the automated email service offered by DocuSign, which employees may see on a day-to-day basis. Because the email is from DocuSign with a DocuSign “from” address, the threat actor does not need to leverage obfuscation or spoofing techniques. This is consistent with other DocuSign-branded phishing emails observed by the PDC. In the message for the document being sent, the threat actor has appeared to spoof a legitimate company and its owner while also leveraging the recipient company’s brand. By doing so, the email seems less suspicious and therefore more likely to be opened.

Graphical user interface, application Description automatically generated

Figure 2: DocuSign Page

Upon opening the hyperlink nested in the “REVIEW DOCUMENT” section of the message body, the recipient is redirected to the DocuSign’s platform where, instead of signing a typical contract or document, a form with a picture of a locked Adobe document is presented, as seen in Figure 2. The form contains a button labeled “VIEW DOCUMENT” which has the embedded short link hXXps://smarturl[.]it/5d92o4. This will redirect recipients from DocuSign’s website and to the phish itself. The use of short links is a common technique used by threat actors to further obfuscate the phishing page URL and, in this case, can possibly make it difficult for DocuSign to flag the phishing page URL as malicious.

Graphical user interface, application Description automatically generated

Figure 3: Phishing Page

The root domain of the URL used in this phish, glitch[.]me, has been used to host a variety of other phish, with the “Adobe Document Cloud” page seen in Figure 3 being a favorite. It has been seen very frequently across the PDC, where the subdomain differs for each unique email. This phish presents three separate options for different credential-stealing logins: Outlook, Office365, Other Mail– with two of the options being arguably the same (Outlook, Office365). By doing this, threat actors can take advantage of a more generic brand styling and gain the ability to compromise a much broader array of credentials than they would by using a specific brand and login.

Since Cofense continues to see phishing emails using DocuSign as means of delivery to recipient inboxes, these threats pose an obvious problem, and they have the potential to become even more complex. The use of a legitimate and popular service such as DocuSign creates difficulties for SEGs to block threats such as this one. Cofense provides end-to-end phishing defense and allows organizations to prepare staff to identify and quickly report a suspicious message for efficient mitigation. Reach out to us to learn more about what Cofense can do for you.

Indicators of Compromise IP
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.