The NJCCIC received reports of a phishing scam abusing the legitimate Docusign platform and impersonating a New Jersey organization. In the Docusign envelope email notification, the impersonated organization’s name appears in the sender’s display name and the body of the email, and the sender’s domain name displays the legitimate docusign.net domain. However, the body of the email references an email address with a macr2[.]com domain, which is typically associated with disposable or temporary email addresses and often used in fraudulent activities and spam. These email addresses can be used to bypass registration requirements or create fake accounts on websites like Docusign, making them a potential security risk.

If the target clicks the Review Document button in the email, they are directed to the Docusign platform. In this phishing scam, the threat actors added an extra step by including a malicious link and a QR code to open and review the document. Further analysis indicated that the malicious link and QR code utilize a bing.com redirect as part of a sandbox evasion technique. Suspicious connections were observed for .ru, .es, and .li domains.

The Docusign envelope email notification also contains an alternate signing method with a unique security code at the bottom of the email. If a Docusign email looks suspicious or there is doubt, Docusign recommends using this alternate signing method instead of clicking on any links or attachments. If there is no unique security code in the email, it is not a valid Docusign email. If there is a unique security code, users are advised to access the document directly from www.docusign.com, select Access Documents, and enter the unique security code. As evident in this example, the presence of a unique security code does not necessarily mean that the document for review on Docusign’s platform is considered safe; therefore, users are highly advised to exercise caution and review Docusign’s webpage for additional security concerns, recommendations, and reporting.

Recommendations
Exercise caution with email addresses from macr2[.]com or other disposable email domains.
Exercise caution with communications from known senders or legitimate platforms.
Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links, scanning QR codes, or opening attachments.
Type official website URLs into browsers manually and only submit sensitive information on official websites.
Keep systems and browsers up to date.
Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

Source: NJCCIC August 14, 2025 Bulletin