Check Point Email Security | Blog

New Attack Sends Phishing Via DocuSign

Written by Jeremy Fuchs | August 12, 2021

Avanan researchers have discovered a new attack, whereby hackers can use DocuSign to send malicious documents and phishing links

Previously, hackers have created spoofed DocuSign notifications, something we’ve written about here and here.

Now, the attack can start from DocuSign itself.

To accomplish this, a hacker can create their own, free Docusign account, or use a compromised DocuSign account.

After the hacker uploads a file, it’s easy to share with the victim’s email:

 

The recipient of a DocuSign envelope receives an email invitation to review and sign a document. By following the unique link provided by DocuSign, the recipient can then view and download the DocuSign file in their browser. 

DocuSign does have security measures to help mitigate malicious or weaponized attachments from being hosted on their servers. However, a sophisticated attacker could potentially use steganography within the hosted file or deliver a weaponized piece of malware or ransomware.

E-signature providers such as DocuSign and Adobe Sign typically flatten uploaded document files and convert them into static .pdf files. This does help deter threats such as Macros from being embedded in the document. However, hyperlinks within a .pdf, .docx, etc., get carried on in the document and retain clickability to the end recipients after Signing execution. On the finished page, the Signer (end-user) has the option to download the file. Any links and/or embedded files would then be accessible and potentially put that user at risk.

For DocuSign in particular, these are the supported file types that could be used to carry a link, and/or if a sophisticated steganography attack spoofed one of these file extensions then a malware payload could definitely become disguised and delivered.

We tested this out ourselves, sending a “clean” phishing link via DocuSign.

The email came, as expected:

The process to sign the doc is as usual.

 

Click on the potential link, and you are taken here:

We tested this out with a number of different tests, with these mock phishing sites.

 

 

This is a particularly effective attack because the email itself would be clean. The phishing link itself is hosted on DocuSign’s servers. The only way to catch this attack is with full suite protection. When a user downloads the file to OneDrive, Google Drive, or Dropbox, Avanan scans the file via API and picks up on weaponized payloads and malicious links that are potentially contained with DocuSign envelopes.

Avanan notified DocuSign information security and threat intelligence of this attack method.