Phishing Warning: DocuSign - Jan 2025

Owned by Dan Jakubiak
Last updated: yesterday at 8:55 pm by Ashley Mattingly
3 min read

ITS wishes to bring an ongoing phishing scam involving DocuSign to your attention.

The ITS Security team is working to mitigate the threat, but because it is evolving and is sophisticated, we want to alert our community. They should be suspicious of messages from DocuSign that are unexpected and were not initiated by someone they know.

Quick Summary

Due to the compromise of DocuSign accounts, DocuSign accounts are sending requests to other user accounts that ask them to log into Microsoft 365. Those who click on these fraudulent requests are sent to a fake Microsoft 365 login page. If the recipient enters their login credentials (UConn email address and NetID password) into their fake page, the credentials are sent to bad actors. This is not limited to the UConn community.

Important Distinction

This phishing campaign is the result of compromised DocuSign accounts. These compromised accounts are sending requests to other DocuSign accounts.

Recipients of this phish are receiving legitimate requests for the theft of their credentials. The request itself is legitimate because it is sent from a DocuSign account; the contents of the request are malicious.

This means the recipient will also see the request in their DocuSign account, not just in their email inbox. This malicious request must be ignored in both the email inbox and in the DocuSign website.

This creates difficulty for ITS in identifying and blocking this phishing campaign.

How to Identify

image-20250122-163307.png

  • Is this sent by someone you know?

    • Would you expect a request for your signature from this person?

    • Ask them in person, in Teams, or send them a separate email. Send a separate email to ensure they don’t have a chance to click on any links in the suspicious email you received.

  • Is this a request involving money?

    • Within your university life, it may be unlikely for you to receive a request through DocuSign that involves money.

    • Does your department use the stated payment processor? Example: PayPal

    • If mentioned, does your department typically use Bitcoin, or another cryptocurrency, for transactions?

  • Is there a sense of urgency in this request?

    • Is the urgency warranted or expected?

    • Are you being warned about a transaction involving people, goods, or tender you don’t typically interact with?

User Experience: If you click on REVIEW DOCUMENT you are presented with a document that has a hyperlink. This link leads you to a fake Microsoft login page. If you enter your credentials into the page, your credentials are sent to bad actors.

image-20250122-164511.png
Fake Microsoft Sign in page. Note the suspicious URL.

How to Avoid

Don’t click any buttons or links in the email.

If you have clicked on the message, do not enter your login credentials or any other identifying information.

Review the “How to Identify” steps above. Do not interact with the request in either your email inbox or in the DocuSign website.

If you are worried about the security of your account, you may reset your NetID password. If you believe you have entered your credentials into a fake login page, reset your NetID password immediately and contact security@uconn.edu.

How to Report

If you receive this and other suspicious messages, report them by clicking the “Report” button within Outlook. 

Questions?

Please email techsupport@uconn.edu.

Related Guides