DocuSign phishing campaign targets lower-ranking employees


Phishing players are following a new trend of targeting non-executive employees who still have access to valuable areas within an organization.

As Avanan researchers reported, half of all phishing emails they scanned in the past few months impersonated non-executives, and 77% of them targeted employees. of the same level.

Previously, phishing players impersonated CEOs and CFOs to trick company employees into targeted phishing attacks.

This made sense because sending instructions and making urgent requests as a high-ranking employee increases the chances of compliance by the recipient of those messages.

However, as CEOs became more vigilant and larger enterprise security teams added more protections around these “critical” accounts, phishing players turned to lower-ranking employees who can still serve as great. entry points into corporate networks.

“Security administrators can spend a lot of time paying close attention to C-Suite and hackers have adapted. At the same time, non-executives still retain sensitive information and have access to financial data. go up the whole food chain. “- Avanan

An example of this practice is given below, where an employee who has access to internal financial systems receives an urgent request to update the direct deposit file information of the spoofed sender.

Phishing Email
Email targeting a non-executive with access to internal financial systems
Source: Avanan

Phishing passwords with DocuSign

As Avanan details in its report, a typical trick deployed in these campaigns is the involvement of DocuSign, an otherwise legitimate cloud-based document signing platform.

Actors offer DocuSign as an alternative signing method in emails they send and require recipients to enter their credentials to view and sign the document.

DocuSign phishing fake email
DocuSign phishing fake email
Source: Avanan

Although these emails are designed to look like legitimate DocuSign messages, they are not sent from the platform. On real DocuSign emails, users are never prompted for passwords, rather an authentication code is emailed to the recipient.

In the rush of daily work, it is likely that some employees will get tricked by this message and treat it as a real DocuSign request, grabbing their email credentials and handing them over to the phishers.

When an email arrives in your inbox, it’s crucial to take the time to evaluate it for any signs of deception. Unsolicited attachments, misspellings, and requesting to enter your credentials should be treated like big red flags.

Docusign-themed phishing attacks are not new and have been used by many malicious actors to steal login credentials and distribute malware. In August 2019, a campaign using DocuSign landing pages took it a step further by trying to get people to enter their full credentials for a wide selection of email providers.

Leave a Comment

Trending this Week