"Malicious Email Campaign Uses Fake DocuSign Messages to Exfiltrate Login Credentials"
A new study from Armorblox researchers warns of a malicious email campaign aimed at stealing login credentials by tricking users into believing attacker-sent emails are from DocuSign. The initial detection of the attack, which targeted more than 10,000 end users across numerous companies, occurred earlier this month. Armorblox discovered and thwarted the attack on its clients, although the attack may have been far broader. "Please DocuSign: Approve Document 2023-01-11" was the subject of the emails sent during the attack in an attempt to build a feeling of urgency. In order to pressure the recipient to open the email, the attacker made it appear as though the document was new and required approval. The emails appeared to originate from DocuSign, as the sender name was altered to say "Docusign." However, neither the email address nor the domain was associated with the DocuSign company. In the email, the "view completed document" call-to-action button had a URL that led victims to a fake landing page spoofing a Proofpoint Storage application. The victims were then prompted to log in with their Proofpoint ID, which sends their credentials directly to the attacker. This article continues to discuss the malicious email campaign involving fake DocuSign messages and what organizations can do to better protect against email attacks.