TLDR
DocuSign phishing is no longer limited to fake emails that imitate the DocuSign brand. Attackers now compromise real DocuSign accounts and use the platform's own API to send malicious envelopes that arrive from legitimate DocuSign infrastructure. These emails pass SPF, DKIM, and DMARC authentication because they genuinely originate from DocuSign's servers. ScamVerify™ tracks 74,032 malicious domains through URLhaus and 60,758 ThreatFox indicators of compromise to help identify the links and payloads hidden inside these seemingly legitimate signing requests.
Why DocuSign Is a Prime Phishing Target
DocuSign processes over 1.5 million documents daily across industries including real estate, finance, healthcare, and legal. The platform's ubiquity creates a built-in trust signal. When someone receives a DocuSign envelope, they expect to open it and sign. Scammers exploit that expectation.
| Factor | Why It Helps Attackers |
|---|---|
| Volume | 1.5M+ envelopes daily means recipients are conditioned to act |
| Trust | DocuSign is a legitimate platform, so emails feel safe |
| Urgency | Signing requests inherently carry deadlines |
| Cross-industry | Targets range from individuals buying homes to CFOs approving contracts |
| API access | Compromised accounts can send envelopes programmatically at scale |
The shift from impersonating DocuSign to actually using DocuSign is what makes the current wave of attacks so dangerous. Traditional phishing filters cannot block emails that genuinely come from DocuSign's infrastructure.
How the Attack Works
Step 1: Account Compromise
Attackers gain access to a legitimate DocuSign account through credential stuffing, phishing the account holder, or purchasing compromised credentials on dark web marketplaces. Many DocuSign accounts lack two-factor authentication, making them vulnerable to password-only attacks.
Step 2: API-Driven Envelope Creation
Once inside, attackers use DocuSign's eSignature REST API to create and send envelopes programmatically. The API allows full control over the document content, recipient list, and signing workflow. A single compromised account can send hundreds of envelopes before the account holder notices.
Step 3: Malicious Document Delivery
The envelope contains a document that looks like a legitimate contract, invoice, or agreement. However, the document includes:
- Malicious links disguised as "Review Document" or "Complete Signing" buttons
- Credential harvesting forms embedded within the signing workflow
- Redirect URLs that send signers to phishing sites after the "signing" completes
- Malware download triggers activated when the recipient opens an attached file
Step 4: Payload Execution
Because the email arrived from DocuSign's real servers, the recipient has no reason to question it. They click through the signing process, and the malicious payload executes. Depending on the variant, this can mean stolen credentials, installed malware, or redirected wire transfers.
What Makes These Emails Different from Regular Phishing
| Characteristic | Fake DocuSign Email | Real Account Abuse |
|---|---|---|
| Sender domain | Lookalike (docusign-verify.com) | Actual DocuSign servers |
| SPF/DKIM/DMARC | Fails authentication checks | Passes all three |
| Email client warnings | Often flagged as suspicious | No warnings displayed |
| Spam filter behavior | Frequently blocked | Delivered to inbox |
| Visual accuracy | Close imitation | Pixel-perfect (it is real DocuSign UI) |
This is the core problem. Every email security tool that relies on sender authentication will mark these emails as legitimate, because they are. The malicious content is inside the document, not in the email delivery mechanism.
Red Flags to Watch For
Even when a DocuSign email is technically authentic, the content can reveal fraud:
- Unexpected envelopes. You did not initiate or expect a signing request from this sender.
- Sender mismatch. The envelope claims to be from your bank, but the sender's email address belongs to someone else entirely.
- Generic document names. Legitimate envelopes reference specific agreements ("Smith Residence Purchase Agreement"). Malicious ones use vague names ("Document for Review," "Important Contract").
- Links that leave DocuSign. Real DocuSign signing happens within DocuSign's platform. If the document asks you to click a link that goes to an external website, it is suspicious.
- Requests for information DocuSign does not need. DocuSign never asks for passwords, Social Security numbers, or bank routing numbers as part of a signing workflow.
- Unusual urgency language. "Sign within 2 hours or this offer expires" is a pressure tactic, not standard business practice.
How ScamVerify Helps Detect DocuSign Phishing
Forward any suspicious DocuSign email to scan@scamverify.ai for analysis. ScamVerify examines multiple layers that go beyond sender authentication:
| Analysis Layer | What It Checks | Data Source |
|---|---|---|
| Link analysis | Every URL in the email and document | 74,032 URLhaus malicious domains |
| Threat indicators | Known malicious IPs, hashes, patterns | 60,758 ThreatFox IOCs |
| Impersonation patterns | Sender claims vs. actual identity | 684,045 FTC impersonation complaints |
| Content analysis | Urgency signals, data requests, pressure tactics | AI pattern recognition |
| Domain reputation | Age, registration data, complaint history | Multi-source intelligence |
You can also paste the email content directly at the ScamVerify email checker if you prefer not to forward. For the most thorough analysis, forwarding preserves the full headers and embedded links.
Protecting Yourself from DocuSign Phishing
For Individuals
- Verify independently. If you receive an unexpected DocuSign envelope, contact the supposed sender through a separate channel. Do not use any contact information in the email.
- Check the envelope details on DocuSign directly. Log into your DocuSign account at docusign.com (type it yourself, do not click a link) and check whether the envelope appears in your inbox there.
- Never enter credentials outside DocuSign. If a "DocuSign" link redirects you to a different website asking for a login, close it immediately.
- Forward suspicious DocuSign emails to scan@scamverify.ai for automated threat analysis.
For Organizations
- Enforce two-factor authentication on all DocuSign accounts.
- Monitor API usage. Unusual volume or off-hours API calls from an account indicate compromise.
- Train employees to verify unexpected envelopes independently, regardless of how legitimate the email looks.
- Implement sending restrictions. Limit which users can send envelopes via API and set volume caps.
- Review account access logs regularly. DocuSign provides admin tools to audit account activity.
The Broader Trend: Legitimate Platform Abuse
DocuSign is not the only platform being weaponized. Attackers exploit any trusted service that sends automated emails: Dropbox sharing notifications, Google Drive invitations, Microsoft Teams messages, and Slack connect requests. The pattern is the same: compromise a real account, use the platform's own infrastructure to deliver malicious content, and rely on the platform's reputation to bypass security filters.
ScamVerify's database of 8 million+ threat records across FTC complaints, FCC reports, URLhaus domains, and ThreatFox indicators captures these cross-platform attack patterns. When a malicious domain appears in a DocuSign envelope today, it may have already been flagged through a different attack vector in our threat feeds.
Check a suspicious email
Paste email content below, or forward it to scan@scamverify.ai for instant analysis.
FAQ
Can a real DocuSign email still be a scam?
Yes. When attackers compromise a legitimate DocuSign account and send envelopes through DocuSign's own servers, the email is technically real. It passes all authentication checks and arrives in your inbox without warnings. The scam is in the document content, not the email delivery. Always verify unexpected signing requests through a separate communication channel.
How do I tell the difference between a real DocuSign request and a phishing attempt?
Check whether you expected the envelope. Contact the sender directly using a phone number or email you already have (not one from the email). Log into DocuSign directly at docusign.com to see if the envelope appears in your account. If the document asks you to click external links, enter passwords, or provide financial information, it is almost certainly malicious.
Should I report suspicious DocuSign emails to DocuSign?
Yes. DocuSign accepts reports of phishing and account abuse at spam@docusign.com. Reporting helps DocuSign disable compromised accounts faster and protect other users. You should also forward the email to scan@scamverify.ai for independent analysis and to reportphishing@apwg.org for industry-wide tracking.
My company uses DocuSign heavily. How do we protect our employees?
Enforce two-factor authentication on all accounts, monitor API usage for anomalies, train employees to verify unexpected envelopes independently, and implement sending volume limits. Consider using ScamVerify's email checker as part of your verification workflow for any envelope that arrives unexpectedly.
Received a suspicious DocuSign email? Forward it to scan@scamverify.ai or check it at the ScamVerify email checker for instant AI-powered analysis backed by 8 million+ threat records.
