A cropped image of the DocuSign headquarters in San Francisco. (Coolcaesar, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons)

Rather than spoofing DocuSign notifications, phishing scammers are now signing up for free accounts with the cloud-based documenting signature service and compromising the accounts of others as a way to trick email recipients into clicking on malicious links, researchers have reported.

According to a new Avanan blog post, this is a novel tactic, as the company is not aware of any previous phishing campaigns that have abused authentic and legitimate DocuSign accounts. In emailed commentary, researchers at Ironscales disagreed with Avanan's claim that the methodology is new, suggesting they "have seen many of these DocuSign attacks." However, they did assert that it has become "prevalent."

"Using legitimate accounts to deliver phishing is a very common practice and unfortunately, is usually highly effective for cybercriminals," Ironscales said in a statement. "Recently our researchers have seen attacks using Sharepoint, Google Dogs, Google forms, and other file download services, like DocuSign.

Last year, Barracuda Networks reported on attackers "using a similar approach with phishing attacks using legitimate file sharing sites to store documents that will include links to malicious or phishing sites and ultimately steal credentials," said Fleming Shi, Barracuda's CTO. "DocuSign is just another service that hackers are using to their advantage. Using legitimate sites this way, if the victim clicks through, the chances of losing the credential are very high, and it’s almost guaranteed that those compromised credentials will be used in a subsequent attack back on the organization."

As for the DocuSign campaign, Avanan reports that prospective victims of the scam receive an invitation to click a link in order to view a document in their browser and then sign it. DocuSign normally converts these documents into static .pdfs, thus preventing the user from mistakenly enabling a malicious macro.

However, these PDF files still have viable hypertext links that, if clicked, could deliver a malicious document or direct a user to a phishing page. Moreover, cybercriminals can hide the true nature of links and downloaded malicious files through sophisticated obfuscation techniques. This includes using steganography to spoof file extensions and make them look like file types that are accepted and supported by DocuSign as a way to get around security measures designed to prevent malicious attachments from being hosted on the service provider's servers.

"This is a particularly effective attack because the email itself would be clean. The phishing link itself is hosted on DocuSign’s servers," the company blog post states.

Avanan CEO Gil Friedrich told SC Media in an interview that his analysts first came across the campaign roughly 10 days ago. The only surprise is that nobody tried this sooner as an alternative to spoofing Avanan communications. Friedrich suggested that the reason why might be that the cybercriminals have been starting to run up against some tougher defenses that successfully weed out spoofing attempts — so much so, ironically, that users and email security platforms both might have a false sense of security when they do see a genuine DocuSign notification.

A particularly tricky aspect of abusing DocuSign, is that it subverts a key lesson learned during security awareness training — one that Ironscales even suggested: "Do not open any links or attachments that you receive in emails from unknown sources." The problem, said Friedrich is that DocuSign emails often contain NDAs or other contractual documents that might come from parties that you haven't previously corresponded with via email.

It's also not uncommon to include a link in these types of contracts, so the presence of another URL wouldn't likely raise suspicion on its own. But even if you did want to investigate further, "you're limited as a security tool to follow the link, because the link sits within DocuSign, in an account that is associated with the recipient," said Friedrich. "You cannot click the link and see that document from a security layer. So to do the full emulation of the link and figure out it's malicious... is also a problem.

Avanan says it has contacted DocuSign and informed them of the campaign, but Friedrich emphasized that this was not a case where the company was at fault.

"Sometimes platforms get hacked and you feel like there is some level of negligence from the provider side. I don't think this is the case," said Friedrich. "This is really the platform doing exactly what it's designed to do, but someone finding a sophisticated way to exploit it."

SC Media reached out to DocuSign through Avanan for comment.

Experts made several recommendations for how to avoid falling for this scam.

"If a colleague sent you a link or shared a file with you that you believe is suspicious, confirm with them by phone or in person that they really are the sender," said Ironscales in its emailed response. Also, "hover on the links with your mouse cursor to see the address it links to. If the link doesn’t look familiar, report the email to your security team." And "hover your mouse over the email sender’s name. If the address displayed does not match the real email address of the sender report the email to your security team."

Additionally, Avanan referenced scanning the file via API as a technology-based technique to catch this attack in progress.