Cado Security Labs have identified a recent DocuSign spearphishing email campaign targeting tech executives. DocuSign email phishing is a type of email phishing where malicious actors send fraudulent emails mimicking legitimate DocuSign communications to trick recipients, typically to input credentials into an illegitimate site. These emails often appear authentic, using DocuSign branding and layouts to appear as a legitimate DocuSign email. Typically the emails will claim that a document is awaiting the recipient’s signature and include a link to access it. However, the link redirects users to a website designed to steal login credentials. Once these credentials have been stolen, they are likely to be used in further attacks. 

Frequently, DocuSign phishing campaigns will use legitimate compromised email accounts to send the phishing emails, in an effort to pass Domain Messaging Authentication Record and Conformance (DMARC) checks. Throughout this campaign, and previous DocuSign campaigns, legitimate Japanese business emails are used to send the phishing emails that were previously compromised. The use of Japanese email accounts may be due to Japanese domains having a higher reputation, making them less likely to flag spam filters, as opposed to .ng or .ru.

Technical Analysis

The first email began with the email subject “BIYH-QPVSW-3617 is ready for your review” from “@anabuki-enter.co.jp”, with the body of the email including a “Review Document Button”. The button directs to a link hosted on “app.getresponse.com”, a legitimate marketing service. This link was down at the time of analysis, however it may have been used to track if the user opened the email or to redirect to another phishing site. Additionally the user is prompted to visit Docusign.com and enter a security code to access the document. 

A separate email was sent with the subject “Please DocuSign this document: Share transfer & Subscription Agreement_062024.docx Copy.docx_PM5235627.pdf” by a “@jaog.or.jp” address. Interestingly, the body of the email includes a legitimate email thread between multiple companies, likely to attempt to make the phishing email appear more legitimate. Included in the body of the email is a link to a malicious website containing a Javascript script “NdoGg8EElI”. 

“NdoGg8EElI” is an obfuscated Javascript script that contains a series of conditional statements that are base64 encoded.

The script begins with an if statement to check if “https://xx[.]yperbole9[.]com/BrfMyTrgSAvPiJtOFWxtG0clXO/” equals “nomatch”, which it obviously doesn’t, this might just be junk code, along with the subsequent document.write(). 

Following the document.write blob is the same if statement but with !== this time. 

This time the conditions will be true, executing the subsequent code. 

Const “AraaqOIGqY” takes the current URL hostname. 

Const “aEKzPLUWtg” creates a new URL from base64 which is the “https://xx[.]yperbole9[.]com/BrfMyTrgSAvPiJtOFWxtG0clXO/” domain. 

Const “zbwXTqjqwH” checks the URL hostname against “aEKzPLUWtg” and if it doesn’t match it takes the TLD and SLD from the decoded URL.

Next checks compare the hostname and pathname to check if the current page is the same as the base64 domain (https://xx[.]yperbole9[.]com/BrfMyTrgSAvPiJtOFWxtG0clXO/) and if they do the next base64 block executes.

The block contains HTML with a captcha check and a Gmail background image, in an effort to look like a legitimate Google Workspace log in page. The user is then redirected to another phishing page hosted on “blegabouc[.]com”, which was down at the time of analysis but likely prompted the user to enter their credentials.

The next block compares the hostname and pathname to check if they don’t match the current page, if this is true a 404 HTML page occurs.

Finally, “zbwXTqjqwH” is checked to not equal “AraaqOIGqY”, which checks if the hostname and decoded base64 URL are not equal. If true the same base64 encoded HTML 404 page occurs again.

The goal of these DocuSign campaigns are to steal credentials from businesses that can be used for further attacks including BEC scams, or to sell on marketplaces. As reported by Abnormal Security, threat actors on marketplaces sell phishing templates for various services including DocuSign and Office365 to be used in business-to-business (b2b) scams. 

Key Takeaways 

DocuSign phishing attacks are an ongoing issue facing organizations, as they exploit the trusted nature of electronic signature platforms to deceive recipients into sending their credentials. These attacks often leverage familiar branding, compromised email accounts, and tactics like embedding fake email threads to appear legitimate.

To protect against such phishing attempts, it is crucial to be cautious when receiving unsolicited DocuSign emails, especially when they ask for urgent action. Users should always:

• Mark emails that don’t pass SPF, DKIM and/or DMARC as spam / suspicious.
• Educate employees on how to spot phishing emails and actions to take when they identify one.
• Verify the sender’s email address and don’t rely on the alias that’s used by mail clients.
• Avoid clicking links or opening attachments on unsolicited emails.
• Enable 2FA (2-Factor Authentication) on all accounts.
• Verify through DocuSign account, whether the document is legitimate, by logging into DocuSign and accessing Documents or using the Access Code. DocuSign Verify can be used to validate the e-signature.

To read more research from our team, check out Cado Security Labs.

Want to learn more about the Cado Security Platform? Contact us today to schedule a demo.

Playing Buzzword Bingo? You can cross these words off your Bingo Board: Snowflake, North Pole, Hanukkah