In recent weeks, cybercriminals have started using popular tools like Adobe Sign and DocuSign to trick people into revealing their Office 365 login credentials. Even if you have Multi-Factor Authentication Enabled, it won't protect you from these scams. They are using sophisticated methods to trick you into giving them your keys, and then they make a copy of them to get into your account later. These phishing attacks are becoming more common, and we want to make sure you’re aware of how to protect yourself.
What’s Happening?
Phishing is a type of scam where attackers try to steal your personal information, like usernames and passwords, by pretending to be a trusted company or service. In this case, cybercriminals are sending fake emails that appear to be from Adobe Sign or DocuSign, asking you to open documents or sign contracts. When you click on the link, you’re redirected to a fake login page that looks just like the official Microsoft Office 365 sign-in page.
If you enter your login details, the scammers now have access to your Office 365 account, which can lead to serious issues like data theft or unauthorized access to sensitive information.
Why Is This a Big Risk?
- Office 365 Credentials Are Valuable: If attackers gain access to your Office 365 account, they can steal emails, files, and other sensitive information stored in OneDrive or SharePoint.
- Increased Sophistication: These fake emails look very realistic, and it’s hard to tell them apart from genuine communications. They often use company logos, official-looking email addresses, and even personalized messages.
- Spread of Malware: Sometimes, the links in these emails lead to malware that can infect your computer, putting your personal information and your organization at risk.
How These Phishing Attacks Work
In this type of phishing attack, cybercriminals use trusted third-party services to send emails that look official and trustworthy. By using popular tools like Adobe Sign and DocuSign, the attackers know they can exploit people's trust in these platforms, which are widely used for document signing and workflow automation.
- Spoofing Trusted Services:
- The email often appears to come from Adobe Sign or DocuSign, which are both trusted and well-known services for handling document signatures. Since these services are legitimate and commonly used in businesses and enterprises, employees and users are more likely to trust an email from them.
- The scam email may contain a link that says "Click here to review or sign a document," or it might say the document requires your immediate attention. Once clicked, the victim is taken to a fake login page that closely resembles the actual Office 365 or Microsoft login page.
- Using Cloudflare for Legitimacy:
- One of the key tactics here is that the phishing page is often protected by Cloudflare, a service that provides secure hosting and traffic management. Cloudflare helps legitimize the phishing website because it provides SSL encryption, making the site appear secure (with the "https://" and padlock icon in the address bar).
- Because Cloudflare is known for protecting legitimate websites from attacks and handling large-scale traffic, attackers use it to make their phishing websites harder to detect as malicious. This increases the trust factor, as many users associate Cloudflare with genuine sites and a "secure" connection.
- Bypassing Email Filters:
- Many email security systems check for suspicious URLs or bad sender reputations. Since Adobe Sign and DocuSign are trusted services, the phishing emails that use them are less likely to be flagged as spam or blocked by these systems.
- Furthermore, because the URLs in the email often come from legitimate domains (e.g., Adobe or DocuSign), these emails can bypass basic email filters, making the attack even harder to spot.
Why This Makes the Attack More Dangerous
- High Familiarity & Trust: Adobe Sign and DocuSign are widely used, so people tend to trust emails that come from these services. This makes the attacker’s task easier, as users are more likely to open and interact with the email.
- Minimal Technical Knowledge Required: The attackers do not need to create elaborate, highly technical schemes. Instead, they rely on social engineering—sending emails with documents that people expect to receive, such as contracts or other work-related documents.
- Realistic Login Pages: Using an exact replica of the Microsoft login page, combined with SSL protection via Cloudflare, makes it difficult for the user to spot the fake login page.
- Attackers have been able to redirect the Multi-Factor Authentication process by intercepting one-time codes.
How To Protect Yourself:
- Look Out for Red Flags: Be cautious of unsolicited emails asking you to "sign" or "review" documents. Double-check the sender’s email address—phishing emails may look like they’re from Adobe or DocuSign, but they often contain slight variations in the address.
- Check the URL: Before entering your login credentials, make sure the URL is correct. Official Office 365 login pages will always start with https://login.microsoftonline.com. See below images that demonstrate two areas that will reveal the "scam" links in these attacks:
- Don’t Rush: If the email seems urgent or pressures you to act quickly, take a moment to think before clicking any links.
- Partner with a reputable Managed IT Company to minimize your risks.
What to Do If You’re a Victim?
If you believe you've fallen for a phishing scam or entered your credentials on a suspicious page, immediately reset your password. Contact your IT department or email provider to report the incident and secure your account. You can also contact our team for help.
By staying vigilant and following these simple steps, you can protect yourself from these growing phishing threats.
Stay safe online!