The NJCCIC received reports of a phishing scam abusing the legitimate Docusign platform and impersonating a New Jersey organization. In the Docusign envelope email notification, the impersonated organization’s name appears in the sender’s display name and the body of the email, and the sender’s domain name displays the legitimate docusign.net domain. However, the body of the email references an email address with a macr2[.]com domain, which is typically associated with disposable or temporary email addresses and often used in fraudulent activities and spam.
If the target clicks the Review Document button in the email, they are directed to the Docusign platform. In this phishing scam, the threat actors added an extra step by including a malicious link and a QR code to open and review the document. Further analysis indicated that the malicious link and QR code utilize a bing.com redirect as part of a sandbox evasion technique. Suspicious connections were observed for .ru, .es, and .li domains.
What You Should Do
- Exercise caution with email addresses from macr2[.]com or other disposable email domains.
- Exercise caution with communications from known senders or legitimate platforms.
- Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links, scanning QR codes, or opening attachments.
- Type official website URLs into browsers manually and only submit sensitive information on official websites.
- Keep systems and browsers up to date.
If you have questions or need assistance, contact a member of the Admiral team.
