DocuSign abused to launch devious phishing scams

Findings shared with DocuSign to help it protect users

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have discovered a new attack, in which malicious users spoofDocuSignmessages to send malicious documents andphishinglinks.

Previously, hackers have exploited the trust users associate with DocuSign to pass around fake phishing emails, to pilfer user credentials from all majoremail providers.

DocuSignis an electronic signature technology used by businesses and individuals to exchange contracts, tax documents and legal materials.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

The threat actors behind this new wave of phishing attacks, discovered by email security vendor Avanan, are using this legitimate application to pass malicious links.

“E-signature providers such as DocuSign andAdobe Signtypically flatten uploaded document files and convert them into static .pdf files. This does help deter threats such as Macros from being embedded in the document. However, hyperlinks within a .pdf, .docx, etc., get carried on in the document and retain clickability to the end recipients after Signing execution,”explainsAvanan’s Jeremy Fuchs in a blog post.

Abusing trust

Abusing trust

Avanan explains that although DocuSign has implemented various security measures to prevent malicious documents from being hosted on its infrastructure, a trailblazing attacker could use mechanisms like steganography to override the checks and deliver “a weaponized piece ofmalwareorransomware.”

Furthermore, Avanan discovered that while embedding booby-trapped files does take some doing, malicious links can be added to any document without any effort or trick.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In his writeup Fuchs argues that this is a particularly effective strategy since it hosts the phishing link on DocuSign’s servers, while keeping the email clean, which helps it get past any security checks imposed by the client clients.

Fuchs notes that Avanan has shared details about this attack vector with the DocuSign information security and threat intelligence team.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind