
read receipts
The Phishing Email That Came From DocuSign's Own Servers
Your security software gave it a green checkmark. That was the whole point.
A scammer doesn't need to forge DocuSign. They can just sign up for it.
That's the part most people get wrong about the fake-invoice emails landing in their inbox. We've been trained to look for the tell — the misspelled domain, the weird sender address, the link that goes to docus1gn-secure-login dot something. But a growing wave of these scams sails through every filter clean, because the criminals aren't impersonating DocuSign at all. They're using it. Real account, real envelope, real email sent from DocuSign's actual mail servers.
Here's how it works. An attacker creates a legitimate DocuSign account, builds a real document — say, an "invoice" for $9,800 in network security services from a fake vendor — and sends it to you through the platform's normal signature-request flow. DocuSign happily delivers it. The email genuinely originated from DocuSign's infrastructure, so it carries valid authentication. The scam lives inside the document: a phone number to call, or instructions to wire money before you "approve" a charge. No malware, no spoofed link for your filter to catch. DocuSign has acknowledged the pattern and warns users that its own platform gets abused this way.
Which brings us to the green checkmark, and why it's lying to you.
When your email provider tells you a message is "verified," it's running three checks: SPF, DKIM, and DMARC. SPF confirms the message came from a server allowed to send for that domain. DKIM adds a cryptographic signature proving the message wasn't tampered with in transit. DMARC ties the two together and tells receivers what to do if they fail. All three are real, useful, and worth having. Here's the catch they were never built to solve: they verify who sent the email, not whether that person is trying to rob you. A message sent through DocuSign's real servers passes all three with flying colors — because it genuinely is from DocuSign. The authentication is working exactly as designed. It just can't read intent.
This is the soft spot attackers have learned to exploit at scale. Proofpoint, which researches this for a living, has documented a surge in "legitimate service abuse" — campaigns that ride trusted platforms like DocuSign, PayPal, Microsoft, and Dropbox precisely because those domains pass every authentication check and rarely get blocked. PayPal's own "money request" feature has been a favorite for the same reason: a real PayPal email, with a real PayPal link, asking you to dispute a charge that never happened by calling a number that reaches the scammer.
The scale is the uncomfortable part. The FBI's Internet Crime Complaint Center logged more than $16 billion in reported losses in 2024, with business email compromise — the polished, no-malware, looks-totally-legit category these fakes belong to — among the costliest. These aren't sloppy Nigerian-prince emails. They're clean, branded, and authenticated.
So what actually protects you, if the checkmark won't? Not the sender. The ask. A real invoice doesn't have a panic deadline. A real signature request matches something you were already expecting. When a document tells you to call a number to dispute a charge you don't recognize, that's the whole scam in one sentence — because the legitimate move is to ignore the email entirely and log into the company's site yourself, typing the address by hand.
The checkmark tells you the letter came from a real post office. It tells you nothing about what's written inside.
Sources
- DocuSign — Advisory on phishing and platform abuse
- Proofpoint — Research on abuse of legitimate services in phishing campaigns
- DMARC.org — How SPF, DKIM, and DMARC pass/fail mechanics work
- FBI IC3 — 2024 Internet Crime Report loss figures