DocuSign Phishing Advisory (2024-2025)

DocuSign Security Alert: Attackers Using Legitimate Accounts for Sophisticated Phishing (2024-2025)

We're seeing a concerning trend: scammers are now bypassing security by purchasing legitimate DocuSign accounts rather than spoofing them. Here's what you need to know:

The New Attack

Threat actors send phishing emails directly through DocuSign's infrastructure (@docusign.net domains), making them harder to detect and filter. They often embed QR codes or links in documents leading to credential harvesting sites.

Common Themes

- PayPal security alerts about crypto transactions
- HR documents (benefits, compensation updates)
- Purchase orders and invoices
- Windows/Microsoft 365 security updates

How to Spot These Attacks

The most reliable indicator is expectation - if you weren't anticipating a document, be suspicious. Look for:
- Emails containing only images
- Missing DocuSign security codes
- Generic greetings and content
- Outdated DocuSign branding (pre-April 2024)
- Urgent payment/security notifications

If You Click

Time is critical. Immediately:
1. Contact your bank if you shared payment details
2. Run antimalware scans if you downloaded anything
3. Change compromised passwords
4. Report to spam@docusign.com and the FTC
5. Document the incident

Protection Strategy

The safest approach is accessing DocuSign directly:
1. Never click email links for unexpected documents
2. Go to docusign.com and use document codes
3. Verify with senders through other channels
4. Report suspicious emails to IT security

Remember: legitimate DocuSign use is growing, but so are these sophisticated attacks. When in doubt, verify through separate channels - a quick call or message could save you from a costly breach.