Fake DocuSign Document Request
Attack Trigger
Plausible business context makes recipients open documents without scrutiny
What Attackers Want
Corporate login credentials or malware installation
How This Attack Works
Attackers send emails impersonating DocuSign claiming a document requires your urgent signature. Clicking "Review Document" redirects to a fake Microsoft or Google login page to harvest credentials, or downloads a malware-laden file disguised as a PDF.
Red Flags to Watch For
- ✗Sender domain is not @docusign.com
- ✗"Review Document" link does not go to docusign.com
- ✗Document download is an executable, ZIP, or macro-enabled Office file
- ✗No prior business relationship explains why you would receive this document
Known Malicious Domains
These domains have been associated with this attack. Never click links going to these addresses.
- docusign-secure-sign.comMALICIOUS
- esign-docusign-alert.netMALICIOUS
- docusign-document-ready.comMALICIOUS
Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.
How Glance Stops This
- Domain similarity analysis catches lookalike sender addresses at millisecond speed
- SPF / DKIM / DMARC validation flags authentication failures before you ever see the email
- VirusTotal + Google Safe Browsing checks every link in real time
- Urgency language detection scores the email higher for manual review
- Known malicious domain blocklist updated continuously from live scan data
Don't wait to get hit.
Glance scans every incoming email against 12 detection layers — including the exact tactics described above — before it reaches your inbox.
Protect My Inbox — Free