Cybersecurity briefing: beware the “Poisoned DocuSign” scam

7 May 2025
Alert

What is a Poisoned DocuSign Attack?

A “Poisoned DocuSign” attack is a deceptive cyber method where attackers trick individuals into providing their login credentials, by abusing the DocuSign digital e-signature system.

Unlike typical phishing attempts, this scam is sophisticated and highly convincing. Attackers send emails from legitimate DocuSign addresses, making it even harder to spot.

How Does It Work?

  1. You receive an authentic-looking email from a legitimate DocuSign email address, prompting you to review and sign a document. For instance, it could be a fake document purporting to be from your employer, asking if you want additional free annual leave.
  2. Clicking the link takes you to a convincing webpage where you’re asked to complete an “Are you a robot?” verification (Captcha).
  3. After verification, a fake (but often convincing looking) Microsoft login page appears, asking for your username and password.
  4. Once you enter your credentials, the site requests a multi-factor authentication (MFA) token.
  5. Clicking to authenticate then steals your authentication token and login credentials, giving attackers full access to your account.

How to Avoid Being Tricked

  • Pause and Verify: Even if an email looks authentic, pause before clicking. Legitimate DocuSign emails rarely prompt you for Microsoft login details.
  • Inspect URLs Closely: Hover your mouse pointer over any links (without clicking) to see the actual URL destination. Fake login pages often have subtle differences from genuine sites.
  • Be Cautious with Captchas: Genuine DocuSign requests don’t typically include a Captcha verification before accessing documents.
  • Avoid Immediate Action: Scammers often pressure you to act quickly. Always take a moment to verify independently.
  • Double-Check MFA Requests: Be extra cautious if prompted for MFA authentication unexpectedly, especially after logging into an unfamiliar site.

What to Do if You’re Unsure

  • Talk to your manager in the first instance.
  • Never enter credentials or authentication tokens if you’re uncertain about the legitimacy of the request.
  • Report any suspicious activity promptly to protect yourself and your organisation.
Contact us