A DocuSign brand impersonation attack has been observed bypassing native cloud and inline email security solutions and targeting over 10,000 end users across multiple organizations.
The findings come from security researchers at Armorblox, who described the new threat in an advisory shared with Infosecurity via email.
“At first glance, the email seems to be a legitimate communication from DocuSign, with the sender name being manipulated by the attacker, reading Docusign,” reads the technical write-up.
“However, the email address and domain show us no association to the company – hard to see on mobile devices where end users frequently open email communications from.”
Further, Armorblox explained that the email attack spoofed a common workflow action from a legitimate instance of DocuSign. Normally, an email is sent to the signee after a document has been completed. The spoofed email in this attack had the goal of instilling a similar sense of trust in victims.
“Attackers used a valid domain to send this malicious email. Upon further analysis from the Armorblox Research Team, the sender domain […], which failed DKIM Alignment checks, received a trustworthy reputation score for this established domain.”
