The play, end to end

Subject line: "John Carter sent you a document via DocuSign" or "Please DocuSign: Q2 Vendor Agreement.pdf". The body carries the familiar yellow DocuSign masthead, a "REVIEW DOCUMENT" button, and a "Powered by DocuSign" footer. Modern kits embed a small PDF thumbnail (often a real contract first page from a leaked archive) so the email feels legitimate before any click.

The click does not open a document. It opens a credential-harvest page styled like Microsoft 365 or Google Workspace sign-in. The login URL sits on a lookalike domain (docusign-secure.com), a free cloud bucket (storage.googleapis.com/docusign-document/, web.app, pages.dev, r2.dev), or an HTML smuggling page inside a SharePoint share. The user types corporate email and password, and on AiTM kits completes the live MFA prompt the attacker is relaying. The session cookie lands in the attacker's tool. The "document" either errors or redirects to a benign PDF so the user shrugs. Inside ten minutes the attacker is in Outlook, sweeping for wires and setting auto-forward rules on keywords like "invoice", "wire", "payment".

The 6 variants in active rotation

1. The fake contract "from your boss"

Display name reads exactly like the user's manager. Body says "Please review and sign before EOD - urgent." BEC pivot variant: attacker has already profiled the org chart on LinkedIn. Click-through is consistently highest because employees defer to executives.

2. The HR onboarding form

"Please complete your updated direct deposit authorization in DocuSign by Friday." Harvests M365 credentials and sometimes bank routing numbers as a bonus. Surges every January and July alongside real HR cycles.

3. The vendor invoice for "approval"

"Acme Corp has sent you an invoice for review and signature." Aimed at accounts payable. Captured M365 credentials are then used to clone the next real invoice the AP clerk receives with a swapped bank account number. See how clone phishing builds on a stolen mailbox.

4. The legal NDA

"Confidential - please sign before our call tomorrow." Sender claims to be from a law firm or business-development team. The implied confidentiality discourages forwarding to IT - which is itself the objective.

5. The IRS / HMRC / tax form

"IRS W-9 form for verification" or "HMRC: please sign your updated tax declaration." Surges in tax season. CISA has issued repeated BEC public service announcements on this tax-impersonation pattern.

6. The real DocuSign envelope from a compromised sender

The most dangerous variant. The attacker compromises a legitimate DocuSign account belonging to a real vendor or partner (often via an earlier phish in the chain) and sends an actual DocuSign envelope from that real account. DocuSign's own DKIM and SPF pass. The link goes to docusign.net. The signature flow is genuine. The catch is in the document: a link to an external "supporting document" on the attacker's lookalike domain, or a contract with a swapped bank-account line item. Microsoft Threat Intelligence flagged this exact pattern in 2024 BEC reporting on pivots through legitimate SaaS.

Why it works inside a business

  • DocuSign is real and widely used. Over a million business customers. The notification email is something the user genuinely receives most weeks.
  • Employees are trained to click DocuSign links. Contracts, NDAs, vendor agreements, HR forms, tax docs. Clicking is the job, not a behavior to avoid.
  • The redirect to "M365 sign-in" feels normal. Many corporate DocuSign integrations use single sign-on through Microsoft 365 or Google Workspace. The fake page exploits that expectation.
  • The compromised-sender variant defeats authentication. A real envelope from a real (compromised) account passes DKIM, DMARC, and sender reputation natively. Authentication confirms the domain, not the honesty of the human at the keyboard.

Recent enterprise impact

  • Proofpoint State of the Phish 2024. DocuSign-themed phishing ranked as the #2 most-clicked-on enterprise lure after Microsoft, with click rates in tested simulations consistently above generic finance and HR themes. Proofpoint attributed the gap to the "expected click" dynamic - DocuSign clicks are part of the job.
  • Mandiant M-Trends 2024. DocuSign-themed envelope phishing flagged as a recurring initial-access pattern in BEC investigations, frequently chained to AiTM session-cookie theft and downstream mailbox-takeover.
  • Microsoft Threat Intelligence 2024 BEC and AiTM reporting. Documented thousands of AiTM phishing infrastructure clusters using e-signature lures (DocuSign, Adobe Sign, HelloSign) as the wrapper for the credential-harvest page.
  • CISA BEC public service announcements. Repeatedly listed DocuSign-themed lures alongside Microsoft and Google sign-in pages as top credential-harvest themes in small and mid-market BEC complaints.

The 7 red flags

  1. Sender domain is not docusign.net. Real envelope notifications come from dse@docusign.net and regional variants (dse_NA1@docusign.net, dse_EU1@docusign.net). Anything from docusign-secure.com, docu-sign.com, docusign.help, or a personal Gmail or Outlook account is fake.
  2. Unexpected document from someone you were not waiting for. Real envelopes are almost always preceded by context - a meeting, call, Slack thread, or known deal. An out-of-the-blue contract with no prior conversation is the single strongest signal.
  3. Urgency framing. "Expires in 24 hours", "sign by EOD". Legitimate business workflows rarely insert artificial countdowns into the email body. Urgency is the social-engineering lever.
  4. Login page shown AFTER clicking "Review document". Real DocuSign opens the document immediately for most recipients without a login. If "Review document" routes you to a Microsoft 365 or Google Workspace sign-in before the doc loads, the flow has been intercepted.
  5. URL bar shows a lookalike or cloud-bucket host. After the click, the URL bar should show docusign.net or app.docusign.com. If it shows storage.googleapis.com/docusign-document/, docusign-secure.com, r2.dev, pages.dev, or any non-DocuSign domain, close the tab.
  6. Email signs off "DocuSign" not "Powered by DocuSign". Real notifications include the "Powered by DocuSign" footer, contact-support block, and standard legal disclaimer. A bare "DocuSign Team" without the footer is a fake.
  7. Generic document name. "Contract.pdf" or "Agreement.pdf" with no project, supplier, or contract number is a fake. Real corporate contracts carry context in the filename.

How to verify a real signature request in 60 seconds

  1. Do not click the email button. Open a fresh browser tab.
  2. Type docusign.com directly and sign in. Real envelopes addressed to you appear in your DocuSign inbox under "Action Required". If the envelope is not there, the email is fake. This single check defeats every variant except #6.
  3. Contact the sender on a separate channel. Slack DM, Teams message, phone call, or text using a contact identifier you had on file before this email arrived. A 10-second "Did you send me a DocuSign?" defeats the whole chain.
  4. Report it. Forward to spam@docusign.com (general reports) or security@docusign.com (active campaigns), and to your IT security inbox or the Outlook "Report Phishing" button.

If you entered M365 or Google Workspace credentials

Speed matters. AiTM kits sweep the captured session cookie within seconds and file forward rules within minutes. The next 30 minutes decide whether this becomes a footnote or a full incident.

  1. Change your password immediately. M365 at account.microsoft.com/security, Google Workspace at myaccount.google.com/security.
  2. Enable hardware-key or passkey MFA. Phone-prompt and SMS MFA do not defeat AiTM phish. Hardware keys (YubiKey, Titan) and passkeys are AiTM-resistant because the challenge is bound to the real domain.
  3. Force sign-out of all sessions. M365: portal.office.com โ†’ My Account โ†’ Sign me out everywhere. Google: myaccount.google.com โ†’ Security โ†’ Your devices โ†’ Sign out. This invalidates the stolen cookie.
  4. Review recent login activity. portal.office.com โ†’ My Account โ†’ Recent activity, or myaccount.google.com โ†’ Security โ†’ Recent security activity. Flag unfamiliar IPs, countries, or sign-in apps.
  5. Revoke OAuth grants. Attackers often install an OAuth app for persistence after password change. M365 admin portal โ†’ Enterprise applications โ†’ User consented apps. Google: Security โ†’ Connections to third-party apps. Revoke anything you did not install.
  6. Audit Outlook and Gmail mail rules. The most common BEC follow-on is an auto-forward rule on keywords (invoice, wire, payment, iban). Outlook: Settings โ†’ Mail โ†’ Rules. Gmail: Settings โ†’ Filters. Anything you did not create gets removed.
  7. Check Power Automate and Apps Script. Sophisticated attackers chain to flows or script triggers that survive password change. M365: make.powerautomate.com โ†’ My flows. Google: script.google.com โ†’ My projects.
  8. Alert IT security and, if wire data was exposed, finance. The blast radius covers every supplier, customer, and colleague the user has emailed. Most cyber-insurance policies require notification within 24-72 hours; late filing voids coverage.

Why authentication does not save you

  • Lookalike domains authenticate. docusign-secure.com sets up its own valid SPF, DKIM, DMARC. The gateway confirms the domain - it just is not DocuSign.
  • Compromised-sender variants pass natively. A real envelope from a real compromised account passes everything because it genuinely is DocuSign infrastructure.
  • AiTM defeats phone-prompt and SMS MFA. The attacker proxies the live prompt; the user approves on their real phone; the cookie is captured. Only hardware-key and passkey MFA defeat this. See how AiTM bypasses 2FA.
  • Cloud-bucket hosts ride on trusted brands. storage.googleapis.com, web.app, pages.dev, and r2.dev are legitimate Google, Cloudflare, and Firebase hosts. Gateway reputation tools rarely block them.

Where browser-layer defense fits

The gateway often cannot block the email - the sender authenticates and the lure reads clean. Browser-layer scanning catches the next step. When a fake DocuSign click lands on a credential-harvest page styled as Microsoft 365 or Google Workspace on a non-Microsoft, non-Google, non-DocuSign domain, a brand-aware scanner flags the impersonation before any form loads. SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before render against a 550+ brand database (Microsoft, Google, DocuSign included) and checks page content for credential-harvest signals. SafeBrowz Business adds CSV-exportable threat reports so IT teams see org-wide DocuSign-themed impersonation attempts across every employee browser. Install SafeBrowz free and pair it with the verification workflow above.

Frequently asked questions

What domain do real DocuSign envelope notifications come from?

Real envelopes originate from dse@docusign.net and regional variants like dse_NA1@docusign.net or dse_EU1@docusign.net. Anything from docusign-secure.com, docu-sign.com, docusign.help, or a generic Gmail or Outlook mailbox is fake.

I clicked the link but did not enter my password. Am I safe?

Probably yes, but verify. Close the tab, run an endpoint scan on managed devices, check recent sign-in activity for anything unfamiliar, and enable hardware-key or passkey MFA if not already. Phone-prompt MFA is no longer sufficient against AiTM phish.

The envelope came from a real coworker's DocuSign account. Is it still phishing?

Possibly. The compromised-sender variant uses a real account whose credentials were phished earlier. The envelope passes every technical check. The signal is in the document content - generic filename, no project context, or wire instructions routing to an unfamiliar account. Confirm with the sender on a separate channel before signing.

How do I report a DocuSign phishing email?

Forward the full email with headers to spam@docusign.com or security@docusign.com for active campaigns. DocuSign's trust team files takedowns with registrars and updates fraud monitoring. Also forward to your internal IT security inbox.

Does enabling MFA stop DocuSign phishing?

Phone-prompt and SMS MFA do not stop AiTM phish - the attacker proxies the prompt and captures the session cookie. Hardware keys and passkeys do stop it because the cryptographic challenge is bound to the real domain. Roll out passkeys for finance, executive, and HR mailboxes first.

Will cyber insurance cover a loss that started with a DocuSign phish?

Often yes, but conditionally. Most BEC riders require documented MFA enforcement, segregation-of-duties on wires, executive-impersonation training, and callback verification on supplier banking changes. Carriers deny claims where those controls cannot be evidenced. File the claim same-day as discovery.

Related reading

Bottom line: DocuSign phishing wins because employees are paid to click DocuSign links. The defense is not "stop clicking" - it is "verify before signing in". Sign in to DocuSign by typing docusign.com directly, confirm out-of-context envelopes on a separate channel, deploy hardware-key or passkey MFA on M365 and Google Workspace, and put SafeBrowz on every browser so the credential-harvest page never gets a chance to load.