By Cobi Aloia, Cofense Phishing Defense Center
The Cofense Phishing Defense Center (PDC) continues to see phish exploiting DocuSign to leverage vulnerabilities in traditional security technologies. The problem with using secure email gateways to mitigate threats hidden in domains such as DocuSign is that the domains are considered safe and are, therefore, not flagged as being malicious. This brings up further cause for concern as many employees also recognize DocuSign as being a trustworthy platform (and they would be right) but threat actors are stealthily utilizing this service as a means for delivering phish. The PDC has observed approximately 200 unique phish taking advantage of DocuSign for malicious links, with at least half of those including phishing pages hosted on the domain “glitch[.]me.” In addition, the PDC has seen similar phishing links on numerous other e-signature platforms such as Adobe, PandaDoc, PdfFiller and more. It’s an issue, and a relevant factor, vis-a-vis threat mitigation and deterrence.
Figure 1: Email Body
Seen in Figure 1, the body of this email appears to be legitimate since the threat actor used the automated email service offered by DocuSign, which employees may see on a day-to-day basis. Because the email is from DocuSign with a DocuSign “from” address, the threat actor does not need to leverage obfuscation or spoofing techniques. This is consistent with other DocuSign-branded phishing emails observed by the PDC. In the message for the document being sent, the threat actor has appeared to spoof a legitimate company and its owner while also leveraging the recipient company’s brand. By doing so, the email seems less suspicious and therefore more likely to be opened.
Figure 2: DocuSign Page
Upon opening the hyperlink nested in the “REVIEW DOCUMENT” section of the message body, the recipient is redirected to the DocuSign’s platform where, instead of signing a typical contract or document, a form with a picture of a locked Adobe document is presented, as seen in Figure 2. The form contains a button labeled “VIEW DOCUMENT” which has the embedded short link hXXps://smarturl[.]it/5d92o4. This will redirect recipients from DocuSign’s website and to the phish itself. The use of short links is a common technique used by threat actors to further obfuscate the phishing page URL and, in this case, can possibly make it difficult for DocuSign to flag the phishing page URL as malicious.
Figure 3: Phishing Page
The root domain of the URL used in this phish, glitch[.]me, has been used to host a variety of other phish, with the “Adobe Document Cloud” page seen in Figure 3 being a favorite. It has been seen very frequently across the PDC, where the subdomain differs for each unique email. This phish presents three separate options for different credential-stealing logins: Outlook, Office365, Other Mail– with two of the options being arguably the same (Outlook, Office365). By doing this, threat actors can take advantage of a more generic brand styling and gain the ability to compromise a much broader array of credentials than they would by using a specific brand and login.
Since Cofense continues to see phishing emails using DocuSign as means of delivery to recipient inboxes, these threats pose an obvious problem, and they have the potential to become even more complex. The use of a legitimate and popular service such as DocuSign creates difficulties for SEGs to block threats such as this one. Cofense provides end-to-end phishing defense and allows organizations to prepare staff to identify and quickly report a suspicious message for efficient mitigation. Reach out to us to learn more about what Cofense can do for you.
| Indicators of Compromise | IP |
| hXXps://na4[.]docusign[.]net/Member/EmailStart.aspx?a=ce1a2169-2104-4180-a572-db514bf408d9&acct=7b4f0067-0abe-4026-a0ce-d49b7d35fba2&er=9bec9768-52ba-441d-9d2e-a0e9846460a7 | 162.248.184.170 |
| hXXps://smarturl[.]it/5d92o4 | 34.228.85.181 |
| hXXps://charm-magnetic-porcupine[.]glitch[.]me/document.html | 52.200.40.111 |
