Top Tips to Spot Fake DocuSign Emails

We haven’t had a client fall for this exact scam yet. However, we’ve observed the same pattern unfolding in forensic reports from companies in Denmark, Austria, and Luxembourg. Same disguise, same patience, same result: The business only realises it’s been compromised when the damage is irreversible. Here are some top tips to spot fake DocuSign emails.

Here’s the composite story we built from those real cases, so you can recognise it before you get hit by this scam. It starts harmlessly—usually on a Tuesday or Wednesday, when inboxes are overflowing.

An email shows up at 10:34 a.m.

Subject line: “Docusign – You have 1 new document to review and sign – EXP 12/04/2025”
From: noreply@docusign.net (red check-mark icon, perfect branding)
Inside the email: no attachment. Just one clean blue button that says: “Review Document.”

You click. A new tab opens to a page that looks 100% like DocuSign—your company logo is even in the top left, because they scraped it from your website. You’re asked to “log in to continue” with your Microsoft 365 credentials. You do. Thirty seconds later, you’re looking at a fake contract, you close the tab, and you forget about it.

Nothing explodes. No files disappear. Your antivirus stays silent. That’s the entire point.

Over the next 10–45 days, a tiny piece of code quietly:

• Registers a new “app” in your Microsoft identity service with innocent-sounding permissions
• Adds a hidden inbox rule that deletes any email containing the words “phish”, “compromised”, or “MFA”
• Exfiltrates your address book, recent emails, and SharePoint file list which is a fancy way of saying it steals these data and sends them to the attacker
• Uses your own account to send the same DocuSign lure to three of your regular suppliers

Six weeks later the attackers have everything they need to run a convincing CEO-fraud payment redirection, or they simply turn on ransomware with your own admin keys.

Average time from initial click to discovery: 38 days.
Average financial hit: €270,000–€1.4 million.

Why This One Is So Hard to Spot in 2025

• Zero malware on disk → traditional antivirus sees nothing
• Hosted on legitimate cloud services (Azure, AWS frontends, Cloudflare pages)
• Uses your real branding and real supplier names pulled from public sources or previous small leaks
• Never asks for credit-card details or crypto—only your normal work login
• Exploits the fact that most people still think “I’d notice if something bad happened immediately”

The Three Reality-Checks That Still Work Every Time

1. Real DocuSign, DocuWare, Adobe Sign, etc. never ask you to re-authenticate through an email link if you’re already logged in. Ever.
   → Hover over the button: If the domain isn’t exactly docusign.net or identity.docusign.com, close it.
2. Check Sent Items a few hours later.
   → Did an email you don’t remember go out to your top five suppliers? That’s usually the first quiet sign.
3. Look at Sign-ins in your Microsoft 365 or Google Workspace admin centre the same day.
   → A login from Moldova, Vietnam, or a TOR exit node you don’t recognise? Kill the session and force a password reset immediately.

Your 90-Second Daily Habit That Breaks This Entire Attack Chain

• Treat every “Review Document / Sign Now” email as suspicious until proven otherwise
• Go directly to the real portal (type docusign, office.com, adobe.com yourself) and check if anything actually awaits you there
• Enable MFA with hardware keys or passkeys—password-only logins are no longer safe
• Turn on “Unified Audit Log” alerts for new app registrations and inbox rule changes (takes five minutes in MS Defender or Google admin)

This isn’t the loud, dramatic malware of 2017. It’s quiet, patient, and it only needs eight seconds of trust. Don’t give it those eight seconds!

P.S. Received a signing request that feels slightly off and read our top tips to spot fake docusign emails but you’re still not sure? Forward the raw message to hello@vali.now and we’ll tear it apart for you – no charge for the first one.