Secure Document Phishing Attacks

A fresh wave of spear phishing has hit the markets with a newly themed scam called “Secure Doc”.

Spear phishing is considered to be the most specific type of phishing attack, as it’s directly targeted at an individual or an organization. This form of phishing has become one of the most prevalent phishing techniques and has seen an exponential rise with the highest success rates.

“Secure Doc” targets employees of a particular organization, sending them emails with an attached secure document. The attached document can appear to be from DocuSign, EchoSign, Secure Adobe PDF, etc. Since many organizations utilize these types of tools, it makes it difficult for the employees to differentiate a phishing document from the legitimate one. As reported by one of the victims, the “from” email address is generally spoofed so as to make it appear the document has been sent from within the organization.

Over time, it has become an interesting phenomenon to notice the “Secure Doc” phishing emails have been the most mis-flagged category of received emails. In most cases, targeted victims were not able to determine if the email they received was a phishing email or a legitimate email.

The content of the email may consist of dangerous links in the email body, attached PDFs, or malicious macros in a Word document. Many attackers spoof secure document delivery services to entice users into clicking on malicious links that redirect to a login page or a phishing page.  Users are then tricked into entering their email credentials and/or any other sensitive data. Emails with Secure Adobe PDF attachments may trick the user by making the PDF accessible only after the user’s login credentials are entered. This has become a vile yet successful technique to fool users. An even more dangerous attack transfers a malicious macro from a Word document to the user’s system. The user receives an email with an attached Word document that is then downloaded. Once downloaded, the embedded macro can initiate the installation of Ransomware or Banker Trojan on the user’s system.

Wisdom says “Prevention is better than cure.” Organizing phishing awareness campaigns for your employees on a regular basis is a good practice to help them identify and avoid these attacks. Other basics to help identify scam emails include:

  • Links to sites that have the organization name as a subdomain of another URL (“”) or as part of a longer URL (“”)
  • Emails with an attached file from legitimate businesses are often expected. Unsolicited emails with attached files should be considered suspect. It’s a good practice to always confirm with the sender whether or not the email was initiated by them.
  • Pay close attention to the communication pattern. If it seems to be different from the normal communication pattern by the sender, it’s likely to be a phishing email.
  • If there’s any doubt, call the sender or the sender’s support center. Always use the number that is known or provided by the organization. Never use a number mentioned in the email for making verification calls.

Leave a Reply

Your email address will not be published. Required fields are marked *