The holiday season has brought with it a surge in sophisticated phishing attacks that combine two dangerous tactics: credential harvesting through spoofed Docusign notifications and identity theft through fake loan application forms.
These coordinated campaigns exploit the seasonal chaos of overloaded inboxes and financial stress that peaks during Christmas and the New Year period.
Threat actors are taking advantage of the trust users place in familiar business workflows, particularly document review processes, to compromise both personal and corporate data on an unprecedented scale.
The attack campaign relies on convincing users that they need to review completed documents during the busy holiday period.
Fraudsters send emails appearing to come from Docusign with authentic-looking branding and footers, but these messages originate from suspicious domains like jritech.shop rather than legitimate Docusign servers.
.webp "Christmas Phishing Surge Chains Docusign Spoofing with Identity Theft Questionnaires 2")
The emails reference fake Christmas-themed documents such as wine orders, creating a sense of legitimacy that encourages quick clicks without verification.
When users click the Review Document button, they are redirected through multiple hosting platforms including Fastly, Glitch, and Surge.sh before landing on credential harvesting pages designed to steal corporate email logins.
Forcepoint analysts identified this sophisticated threat chain during their X-Labs research in late December, tracking how the attacks are structured and discovering the supporting infrastructure that enables the fraud.
.webp "Christmas Phishing Surge Chains Docusign Spoofing with Identity Theft Questionnaires 4")
The researchers noted that the second wave of the campaign introduces a separate but complementary attack vector targeting personal financial information rather than corporate credentials.
These holiday loan spam emails promise quick cash, low interest rates, and urgent approvals to capture sensitive personal data.
The core attack mechanism involves a multi-stage identity theft questionnaire hosted on christmasscheercash.com that walks victims through a deceptive data collection process.
.webp "Christmas Phishing Surge Chains Docusign Spoofing with Identity Theft Questionnaires 5")
The form begins innocuously by asking how much money the victim needs, with options ranging from 100 to 50,000 dollars.
It then gradually progresses to requesting basic information like name, email, and phone number, which appears normal for any loan application.
The questionnaire continues by asking about home ownership, vehicle ownership, employer details, and income information, maintaining the facade of legitimacy throughout this phase.
.webp "Christmas Phishing Surge Chains Docusign Spoofing with Identity Theft Questionnaires 6")
However, the true objective becomes clear in the final stages when the form requests complete banking information. Victims are asked to provide routing numbers, account numbers, and other sensitive details under the pretense of depositing loan funds.
After submission, users are redirected to additional fraud sites like thepersonalfinanceguide.com, which request the same information again and expose victims to endless loan offer spam.
This handoff pattern is standard in identity theft ecosystems designed to maximize data capture and monetization across multiple fraudulent platforms.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
