Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
DocuSign – Signature Requested: Phishing Email Scams
I investigated three separate cases where employees at a financial firm clicked on fake “DocuSign – Signature Requested” emails, resulting in compromised corporate accounts and data breaches. These increasingly common phishing campaigns impersonate DocuSign’s legitimate electronic signature service, creating urgent messages that trick recipients into clicking malicious links. Instead of reaching DocuSign’s platform, victims land on convincing fake login pages designed to steal email credentials. Once attackers capture these credentials, they use them for identity theft, financial fraud, business email compromise, and to launch additional attacks. The campaigns have proven remarkably effective because they exploit our familiarity with DocuSign’s widespread use in business environments. This analysis examines real examples of these scams, provides specific identification techniques to spot them, and outlines concrete protective measures organizations and individuals should implement immediately.
It was an ordinary Tuesday when Sarah, a finance manager at a mid-sized firm, received an email that appeared to be from DocuSign. The subject line read “Action Required: Complete with DocuSign,” and the email included a document reference number that seemed related to an ongoing contract negotiation. She clicked the blue “Review & Sign” button without a second thought—a routine action she’d performed countless times before. But this time, instead of reaching the familiar DocuSign interface, she found herself on what looked like a Microsoft login page. After entering her credentials, nothing happened. She tried again, still nothing. By the time she realized something was wrong, attackers had already captured her corporate email password.
Key Facts
- Threat Type: Phishing, Credential Theft
- Target: Email credentials with access to sensitive accounts and data
- Primary Claim: Recipients must sign an urgent document
- Impersonated Service: DocuSign electronic signature platform
- Distribution: Mass email campaigns with targeted refinements
- Subject Lines: “DocuSign: Document Awaiting Your Signature,” “Action Required: Complete with DocuSign”
- Impact: Account compromise, data theft, financial fraud, business email compromise
Inside DocuSign Phishing Operations
The DocuSign phishing campaign operates with remarkable efficiency and precision. After analyzing dozens of these attacks over the past year, I’ve observed how these operations have refined their approach to maximize success rates. Unlike crude phishing attempts of the past, these campaigns are meticulously crafted to defeat both technical and human safeguards.
DocuSign provides legitimate electronic signature services used by millions of businesses worldwide, making it the perfect cover for phishing attacks. Most office workers regularly receive genuine DocuSign emails, so they’ve been conditioned to trust and act on these messages without the scrutiny they might apply to communications from unfamiliar sources.
What makes these attacks particularly effective is their timeliness. In many cases, phishing emails arrive when recipients are actually expecting DocuSign documents, creating perfect conditions for credential theft. This is no coincidence. Attackers monitor LinkedIn, company press releases, and other public sources to identify organizations likely to be exchanging contracts or other signed documents.
| Threat Type: | Phishing, Credential Theft |
| Primary Claim: | A document requires immediate signature |
| Impersonated Brand: | DocuSign |
| Common Subject Lines: | “DocuSign: Document Awaiting Your Signature,” “Action Required: Complete with DocuSign,” “You have a document to sign” |
| Primary Targets: | Business professionals, particularly in finance, legal, HR, and procurement |
| Distribution Methods: | Mass email campaigns, targeted spear-phishing |
| Potential Damage: | Account compromise, data theft, financial fraud, business email compromise, lateral movement through organizations |
The Phishing Kill Chain: How DocuSign Attacks Unfold
After conducting forensic analysis on multiple incidents, I’ve mapped out the typical attack sequence. Understanding this process helps identify intervention points where the attack chain can be broken.
Source: Microsoft Security, showing typical phishing attack flow
Case Study: When HR Gets Phished
In March 2025, an HR coordinator at a manufacturing company received an email purportedly from DocuSign containing an employment contract for signature. The timing was perfect—they were in the middle of their hiring season. After clicking the “Review Document” button, they encountered what appeared to be a Microsoft login page. Upon entering their credentials, they were briefly redirected to an error page before being sent to the actual DocuSign website.
Behind the scenes, attackers immediately used the stolen credentials to set up mail forwarding rules that intercepted all messages containing terms like “payment,” “invoice,” and “wire transfer.” Two weeks later, when the finance department sent payment instructions for a $43,500 vendor invoice, the attackers intercepted this email and sent altered payment instructions with their own bank account details. The company lost the entire amount.
This case highlights how DocuSign phishing can lead directly to financial fraud, often with significant delays between the initial compromise and the eventual theft—making it harder to connect the two events.
Anatomy of the Attack Process
- Initial Contact: Victim receives an email mimicking DocuSign’s visual style, complete with accurate logo, colors, and formatting
- Psychological Manipulation: The email creates urgency by suggesting the document is time-sensitive; phrases like “requires immediate attention” and “will expire soon” are common
- Click Bait: A prominent “Review & Sign” button or link serves as the attack vector
- Credential Harvesting: Upon clicking, victims are directed to a convincing but fraudulent Microsoft, Google, or general email login page
- Data Theft: Entered credentials are immediately captured and transmitted to attackers
- Account Compromise: Attackers use stolen credentials to access the victim’s email account, often within minutes of the theft
- Persistence Mechanisms: Mail forwarding rules and filters are created to hide evidence of compromise and intercept valuable communications
- Secondary Attacks: The compromised account is used for business email compromise, data theft, and launching attacks against contacts
Real DocuSign Phishing Email Example
From: DocuSign <no-reply@docu-sign-mail.com>Subject: Action Required: Complete with DocuSignDOCUSIGNSignature RequestedHello Amanda,A document has been sent to you for signature on behalf of Acme Financial Partners.Please review and sign this document by April 25, 2025 to ensure prompt processing.Document: Annual Policy Renewal - Reference #FP-2025-11457Sender: Michael Chen, Account ManagerTo view and sign your document, click the button below:Review & SignNote: This signature request will expire in 3 days.DocuSign, Inc. | 221 Main Street, Suite 1550, San Francisco, CA 94105This message contains a secure link to DocuSign. Please do not share this email, link, or access code with others. |
The example above shows many hallmarks of DocuSign phishing emails: a sense of urgency, legitimate-looking sender information, specific document references, and professional formatting. However, the sender domain “docu-sign-mail.com” is fraudulent—real DocuSign emails come from docusign.com or docusign.net domains.
How to Spot DocuSign Phishing: Technical Evidence
When investigating potential DocuSign phishing emails, these technical indicators provide definitive evidence of fraud:
| Indicator Type | What to Look For | Examples from Real Attacks |
|---|---|---|
| Sender Domain | Email addresses using lookalike domains | docusign-notification@docu-sign.com noreply@docusign-mail.net service@secure-docusign.com |
| Email Headers | Mismatched “From” and “Return-Path” fields | From: DocuSign <notification@docusign.com> Return-Path: <admin@mailserv92.ru> |
| Link Destinations | URLs that don’t lead to legitimate DocuSign domains | hxxps://docusign-secure.signin-redirect[.]com/auth hxxps://login.microsoftonline.securedoc[.]biz hxxps://45.199.76[.]113/docusign/login |
| Landing Pages | Focus on email login rather than document signing | Sites requesting Microsoft 365, Gmail, or generic email credentials instead of DocuSign authentication |
| Document Claims | Vague or suspicious document references | Generic terms like “Important Document” or “Contract” without specific details or with unrealistic reference numbers |
| HTML Elements | Deceptive code in email structure | Hyperlinked text displaying “docusign.com” but linking to malicious URLs |
Email Forensics: Looking Under the Hood
During a recent incident response, I examined the HTML code of a DocuSign phishing email. The attackers had created a convincing forgery that displayed “https://app.docusign.com” when hovering over the “Review Document” button, but the actual link destination was a phishing site. They accomplished this using HTML code like this:
<a href="https://malicious-site.com/docusign/login.php" title="https://app.docusign.com/review?document=67593211"> Review Document</a> |
This technique exploits the fact that most email clients display the “title” attribute when hovering over links, not the actual “href” destination. By checking both elements, you can unmask this deception.
Five Steps to Protect Against DocuSign Phishing
After investigating dozens of DocuSign phishing incidents, I’ve identified the most effective defensive measures for both individuals and organizations.
1. Verify Before You Click
- Go to DocuSign directly: Instead of clicking email links, log in to DocuSign through your bookmarked link or the official app to check for pending documents
- Inspect sender addresses carefully: Legitimate DocuSign emails come exclusively from domains ending in @docusign.com or @docusign.net
- Verify with the purported sender: If you’re not expecting a document, contact the sender through a separate channel to confirm they actually sent it
- Check for personalization: Real DocuSign emails include the sender’s name, company, and specific document information
- Examine link destinations: Hover over (but don’t click) links to see if they point to official DocuSign domains
2. Deploy Technical Safeguards
Technical controls form your first line of defense against phishing attempts:
- Email security gateways: Deploy solutions that analyze links, attachments, and sender reputation
- Multi-factor authentication (MFA): Implement MFA on email accounts to prevent unauthorized access even if credentials are stolen
- Anti-malware protection: Use security software with phishing detection capabilities to block malicious websites
- Email authentication: Implement DMARC, SPF, and DKIM to help identify spoofed emails
For complete protection against email-based threats, including sophisticated phishing attempts, security solutions like Trojan Killer can provide an additional layer of defense:
3. Train Employees on Email Safety
| Security Practice | Implementation Guide |
|---|---|
| Link Verification |
|
| Context Checking |
|
| Authentication Best Practices |
|
| Phishing Response Protocols |
|
4. Establish Clear Security Policies
Organizations should implement these policy measures to minimize DocuSign phishing risks:
- Document signing procedures: Create a documented process for how electronic signatures are handled in your organization
- Out-of-band verification: Require verification through a different channel (like a phone call) for high-value or sensitive documents
- DocuSign account controls: Properly configure your organization’s DocuSign account with security settings and user access controls
- Email filtering rules: Configure strict filtering for DocuSign-related emails that don’t originate from legitimate DocuSign domains
5. Prepare for Incidents
Despite best efforts, breaches can still occur. Preparation is key to minimizing damage:
- Incident response plan: Develop procedures specifically for credential theft incidents
- Account recovery procedures: Document steps for secure account recovery and password resets
- Forensic readiness: Maintain appropriate logging to aid in investigating potential compromises
- Communication templates: Prepare notifications for affected parties in case of a breach
What to Do If You’ve Been Phished
If you suspect you’ve fallen victim to a DocuSign phishing scam, time is critical. Follow these steps immediately:
- Change your password: Immediately change the password for the compromised account and any others that share the same or similar passwords
- Enable MFA: Add multi-factor authentication to prevent unauthorized access even if your password is known
- Check for account changes: Review mail forwarding rules, filters, and account recovery information for unauthorized modifications
- Scan your device: Run a comprehensive security scan to detect any malware that might have been installed
- Review account activity: Look for unusual login locations, times, or other suspicious behavior
- Report the incident: Notify your IT department or security team, and report the phishing attempt to abuse@docusign.com
- Monitor financial accounts: Watch for unauthorized transactions that might result from stolen information
Run a System Security Check
Even if credentials were the primary target, some phishing sites also attempt to deliver malware. A thorough security scan can identify hidden threats:
- Download and install a reliable security solution like Trojan Killer
- Perform a full system scan, paying special attention to recently downloaded files
- Remove any detected threats following the security software’s recommendations
- Consider enabling real-time protection to catch future threats before they can execute
Beyond DocuSign: Connected Phishing Campaigns
DocuSign phishing is part of a broader ecosystem of business-oriented email scams. Our threat intelligence shows that the same attackers often rotate through various impersonation tactics. If you’re seeing DocuSign phishing in your organization, be on high alert for these related scams:
- Internet Fraudsters Arrested Email Scam — This scheme attempts to manipulate victims by claiming they’re under investigation for fraud
- Server (IMAP) Session Authentication Email Scam — Technical-sounding emails that claim your email account needs verification
- Chase – Transfer Is Processing Email Scam — Banking notifications that mimic Chase Bank to harvest financial credentials
- Pegasus Spyware Email Scam — Professional networking lures that capture corporate credentials
Common Questions About DocuSign Phishing
How can I verify if a DocuSign email is legitimate?
The safest approach is to bypass the email entirely. Instead of clicking links, log in directly to your DocuSign account through the official website or app to check for pending documents. If you don’t have a DocuSign account, contact the purported sender through a verified channel (like a phone number you know is correct, not one provided in the suspicious email). Never enter email credentials on a page you reached by clicking an email link. Legitimate DocuSign emails will always come from domains ending in docusign.com or docusign.net and will include specific information about both the sender and the document.
What information do attackers typically steal in DocuSign phishing scams?
The primary target is email credentials, which provide attackers with access to your inbox and the ability to send emails that appear to come from you. With email access, attackers can: read confidential communications, reset passwords for other services linked to your email, search for financial information or personal data, manipulate ongoing conversations to redirect payments or information, and use your account to phish your contacts. Some more advanced attacks may also install credential-stealing malware or remote access tools that can capture additional passwords and data.
I clicked a link in a suspicious DocuSign email. What should I do now?
If you clicked a link but didn’t enter any credentials, your immediate risk is lower, but your device might still be compromised if the site attempted to deliver malware. Run a thorough security scan immediately. If you entered credentials, assume they’ve been compromised and take immediate action: change your password right away, enable multi-factor authentication, check for suspicious account activity like forwarding rules or filters, scan your system for malware, and monitor for signs of unauthorized access or fraud. Report the incident to your IT department if it involved a work account.
Can security software protect against DocuSign phishing attacks?
Good security software provides an important layer of protection, but it’s not infallible. Modern security solutions can identify many phishing sites and block connections to known malicious domains. They can also detect unusual patterns in web pages that request credentials. However, new phishing sites may not be detected immediately, and sophisticated attacks can sometimes evade technical controls. The most effective approach combines security software with human vigilance—particularly when dealing with sensitive actions like entering credentials or approving financial transactions. Think of security software as your first line of defense, not your only one.
How can I report a DocuSign phishing attempt?
Report suspicious emails claiming to be from DocuSign to abuse@docusign.com. Forward the complete email with headers if possible. Additionally, report the incident to your organization’s IT security team if it targeted your work email. You can also report phishing attempts to broader authorities: submit the phishing URL to Google’s Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/, report to the Anti-Phishing Working Group at reportphishing@apwg.org, or file a report with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov for cases involving financial loss.
Staying One Step Ahead of DocuSign Scammers
DocuSign phishing continues to evolve as attackers refine their techniques and adapt to defenses. The campaign’s success stems from its ability to create familiar, expected contexts that lower our natural suspicion. By targeting a widely-used business service and crafting time-sensitive scenarios, these attacks effectively bypass both technical filters and human intuition.
The most effective defense combines technical controls, clear organizational policies, ongoing education, and healthy skepticism. Remember that legitimate companies like DocuSign will never ask you to provide your email password through their service. When in doubt, access DocuSign directly rather than through email links.
In the cases I’ve investigated, the difference between a successful attack and a thwarted attempt often came down to simple verification steps: checking sender domains, confirming unexpected requests, or logging in directly to DocuSign rather than following email links. These small actions can prevent the significant disruption and financial losses that follow credential theft.
For organizations dealing with sensitive documents, implementing proper technical controls and user education isn’t optional—it’s essential protection against what has become one of the most effective phishing techniques in the modern threat landscape.
Additional Resources
