What happened
The Christmas phishing surge chains Docusign spoofing targeted multiple enterprise users during the 2025 holiday period, using fake electronic signature requests. Researchers at Abnormal Security observed a 60% spike in email campaigns leveraging Docusign-branded templates combined with identity theft questionnaires. Threat actors impersonated known vendors and HR departments to trick employees into revealing credentials or clicking malicious links. The attack vector primarily involved spear-phishing emails containing links to malicious domains hosting credential harvesting forms. Some campaigns also bundled malware attachments disguised as PDF invoices. Organizations across finance, retail, and healthcare reported increased incidents, highlighting the effectiveness of seasonal social engineering.
Who is affected
Enterprises across finance, healthcare, and retail sectors experienced direct exposure to spoofed Docusign emails, while employees remain at risk of credential theft and potential lateral compromise.
Why CISOs should care
Phishing campaigns like these can lead to data breaches, supply chain compromise, and regulatory fines. Holiday-themed attacks exploit lower staff vigilance, increasing likelihood of successful credential harvesting and unauthorized access.
3 practical actions
Strengthen email authentication: Enforce DMARC, DKIM, and SPF policies to reduce spoofed messages.
Educate employees: Run phishing awareness campaigns highlighting seasonal attack patterns and fake Docusign notices.
Monitor for credential misuse: Track login anomalies, especially on enterprise SaaS platforms, for early detection.