Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

According to Bitdefender Antispam Lab researchers, cyber thieves are actively targeting DocuSign and Sharepoint users in phishing attacks designed to mimic legitimate correspondence from the two web-based platforms.

Microsoft credentials up for grabs with fake Sharepoint emails

The phishing attack spotted on June 24 appears to have originated from the United States. 33% of the fake emails reached users in the US, 26% in Ireland, 14% in Korea, 12% in Sweden, 5% in Denmark, and 1% in Finland, UK and India.

The scam email, disguised as an automated Microsoft SharePoint, does not seek to infect recipients with malware. The scammers are looking to steal login credentials from their targets—most of the emails use COVID-19 as a ruse to dupe recipients into accessing a bogus document.

For example, the email below asks to review a “Covid 19 relief fund as approved by the board of directors.”

The emails are not directed to any specific employee within the targeted organization. Users who try to access the document will be directed to a landing page mimicking an Outlook login page.

Those who fall for the bait are giving the attackers their legitimate Microsoft credentials, allowing them to commit further crimes, including spreading spear-phishing emails, impersonating employees and stealing sensitive data.

DocuSign brand continues to be exploited during COVID

The DocuSign phishing campaign intercepted by our researchers closely resembles a legitimate email that a user might receive from the company. The perps sent out thousands of emails, most of them originating from IP addresses in Germany and Russia. A rather large number of hits targeted Portuguese and United States users. The message use the brands’ logo, content and footer to dupe recipients into believing the email is real.

The recipient is asked to click a link to review and sign a document. The link directs the user to a bogus webpage that mimics DocuSign, and the user is prompted to sign in to their Adobe account to view the document.

If you’re one of the unfortunate users who clicked on the link and provided your credentials, change the password immediately and take proactive measures. You should also report the fraudulent email and website via the dedicated channel [email protected] and spread the word to friends, family and co-workers.

Signing documents online from anywhere in the world does save time and effort, especially during the pandemic and social-distancing efforts. However, it’s essential for users to remain vigilant and double-check the correspondence before downloading an attachment or providing login credentials, giving cybercriminals the upper hand and freedom to access sensitive information.

Note: This article is based on technical information provided courtesy of Bitdefender Antispam Lab