Forcepoint X-Labs Warns of Holiday Phishing Campaign Combining Docusign Scams and Fake Loan Offers

The holiday period consistently fuels a spike in social engineering, and this year attackers have refined their tactics by merging two lucrative vectors: DocuSign credential harvesting and fraudulent loan offers. By masquerading as routine document reviews, the phishing emails tap into familiar end‑of‑year workflows, leveraging the trust associated with a widely used e‑signature platform. The use of unrelated domains and fast‑content delivery networks such as Fastly, Glitch, and Surge.sh obscures the true origin, making traditional URL‑based defenses less effective.

Beyond corporate credentials, the campaign pivots to consumer‑focused loan scams that prey on seasonal financial pressure. Victims are funneled to sites like christmasscheercash.com, where a seemingly innocuous loan application escalates into a comprehensive identity‑theft funnel, extracting bank details and personal identifiers. The layered approach—stealing corporate logins first, then harvesting consumer data—maximizes the attackers’ resale value on underground markets and creates a persistent threat chain that can compromise both enterprise and personal ecosystems.

Mitigation requires a multi‑layered response. Security teams should enforce strict validation of DocuSign communications, checking sender domains against known corporate certificates and scrutinizing redirect chains for disposable hosting services. Email gateways must flag loan‑related offers from free or mismatched domains, and user education should emphasize the danger of unsolicited financial solicitations during the holidays. By integrating these controls, organizations can reduce the attack surface, protect sensitive credentials, and limit the flow of stolen personal data into broader identity‑theft networks.