DocuSign phishing ranks as top inbox threat, analysis finds

DocuSign impersonation is the most common phishing threat hitting corporate inboxes, according to a recent StrongestLayer analysis shared with SC Media.

StrongestLayer analyzed a dataset of more than 2,000 email attacks that bypassed enterprise email security systems and found that DocuSign was impersonated in 13.8% of attacks.

These attacks evaded protections including built-in defenses for Microsoft 365 E3 and E5 enterprise license plans and secure email gateways from providers including Mimecast and Proofpoint, according to StrongestLayer.

“We only see attacks that have already beaten everything else. When DocuSign impersonation shows up as the dominant theme among threats that evaded Microsoft and Proofpoint, that tells you something about where the detection gap actually is,” said Alan LeFort, CEO and co-founder of StrongestLayer.

DocuSign phishing is especially dangerous due to the service’s common use in legitimate business and frequently targets industries where time-sensitive electronic signatures are a normal part of everyday workflows, such as legal services, financial services, real estate, healthcare, pharmaceuticals and other professional services.

Related reading:

Links included in these emails or in fake documents often target Microsoft 365 credentials, with StrongestLayer identifying a total of 281 credential harvesting attempts impersonating DocuSign in their dataset.

In addition to blending in with normal business emails, these DocuSign-themed phishing attempts also evade detection due to a lack of similar features between attacks. Rather than coming from a single campaign or using a common template, the attacks analyzed exhibited different sender infrastructure, URL patterns and content fingerprints, making it easier to slip by signature-based defenses.

Using the Jaccard similarity index, the analysts assessed an average similarity of 0.458 between DocuSign attacks, meaning more than half of each attack’s features were unique – not shared with other attacks. For comparison, attacks based on phishing templates typically have a similarity score between 0.85-0.95, making them easily detectable by pattern matching mechanisms, the analysts said.

AI is also believed to play a role in the generation of content for DocuSign attacks observed in this analysis. StrongestLayer said about 38% of the DocuSign attacks exhibited indicators of AI assistance, based on a multi-signal probabilistic analysis described to SC Media. The analysis looked at two major factors: attack variation and tactics, techniques and procedures (TTP) sophistication.

“AI-assisted campaigns exhibit low similarity despite thematic consistency, as automated generation produces unique content per attack. For sophistication, we analyze linguistic signals: contextually appropriate industry terminology, natural scenario plausibility, multi-layered psychological manipulation, and semantic coherence,” LeFort told SC Media.

Microsoft was the second-most impersonated brand in StrongestLayer’s dataset, with phishing lures based around various Microsoft properties including Office 365, Outlook, Teams and OneDrive. The use of fake CAPTCHA pages was cited as the dominant evasion technique in Q4 2025, seen in 29.6% of email attacks observed, and calendar invite attacks were also highlighted as a rising threat, seen in 108, or 5.3%, of attacks.

LeFort said StrongestLayer’s analysis shows that email authentication methods such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) fall short when attackers exploit legitimate infrastructure to launch their campaigns, with attacks passing SPF in 567 attacks, DKIM in 541 attacks, DMARC in 501 attacks and all three in 25 attacks.

“The data reveals the dirty secret: authentication proves sender identity, not sender intent,” LeFort stated.

While StrongestLayer recommends organizations implement strict DMARC enforcement (p=reject) to block the estimated 77% of malicious emails that will fail authentication, the remaining 23% require stronger detection methods than signature-based pattern matching as attackers vary their phishing content using AI and other methods.

“Organizations must layer content-based reasoning that evaluates intent and business context alongside authentication,” LeFort concluded.