Remote work has been a boon for a number of companies and DocuSign is no different.
The e-signature company has seen 61% year-over-year growth. As companies to work-from-home, this growth could continue unabated.
So, of course, hackers have noticed, and have begun to leverage the company's name to trick users.
The Attack: Avanan researchers discovered a new phishing email that looks like this:
(Note the ironic statement, "It is safe".)
If you click on "Review Invoice", it takes you to a page that looks like this:
The download button leads to a malicious file. If you notice in the URL bar, you'll see the "docs.google" signature. Take a look:
What the hackers are doing are utilizing a Google link to hide a malware download.
Though Avanan stopped this attack, it passed by Google's scanners.
Why it Matters: Avanan's researchers have seen a dramatic increase in similar attacks that use malicious Google Links. Over the past six weeks, we've seen a 220% increase in these attacks. A little under 2% of those attacks utilize DocuSign.
We've seen these sorts of attacks before. Hackers hide the malicious URL in a Google Doc. Google sees the URL as benign and does no filtering on the web link. It allows them to put malicious links into Google Drive files and host the file publicly. They sent the link via email—in this case hidden in a DocuSign spoof—and since the link starts with docs.google.com, it is trusted by every email filter. And even savvy users will see the google.com link and go ahead.
Hackers will always find creative ways to leverage loopholes in security systems. What you need is security that not only scans links in emails, folders and documents, but also uses hackers' tools against them as an indicator of attack, like Avanan does.