Phishing emails typically try to ensnare their victims by impersonating well-known companies, brands, products, and other items used by a lot of people. If the emails can reference a topic of interest or concern to the recipients, so much the better. DocuSign is a secure electronic signature tool used by many organizations to ease and expedite the process of getting signatures on important business documents. The coronavirus quarantine has forced more people to work remotely, so a service like DocuSign is likely in much higher demand than usual.
A new phishing campaign analyzed by Abnormal Security shows how cybercriminals are exploiting DocuSign, the coronavirus, and the transition to remote working to try to capture account credentials. In a
blog post published on Friday, Abnormal Security explained how this campaign works.
The phishing email itself tries to look legitimate by copying the content and images of real emails from DocuSign. The attacker taps into the current anxiety over the coronavirus by referring to the sender and subject of the message as "CU #COVID19 Electronic Documents." The button in the message simply says: "Review Documents" with indications that these documents are for member agreements, health applications, and health pay authorizations.
The URL for the phishing site is hidden in the body text of the email through a
SendGrid link. With the URL concealed, the recipient of the message must click on the actual button to find out where the link goes. The email actually contains several embedded links, some of which lead to authentic DocuSign web pages to give it greater legitimacy. [....]
