Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Christmas Phishing Surge Chains Docusign Spoofing with Identity Theft Questionnaires
Threats

Christmas Phishing Surge Chains Docusign Spoofing with Identity Theft Questionnaires

The holiday season marks a significant surge in sophisticated phishing attacks, combining two dangerous tactics: credential harvesting via spoofed Docusign notifications and identity theft through...

Marcus Rodriguez
Marcus Rodriguez
January 6, 2026 3 Min Read
102 0

The holiday season marks a significant surge in sophisticated phishing attacks, combining two dangerous tactics: credential harvesting via spoofed Docusign notifications and identity theft through fraudulent loan application forms.

These coordinated campaigns exploit the seasonal chaos of overloaded inboxes and financial stress that peaks during Christmas Phishingthe New Year period.

Threat actors are taking advantage of the trust users place in familiar business workflows, particularly document review processes, to compromise both personal and corporate data on an unprecedented scale.

The attack campaign relies on convincing users that they need to review completed documents during the busy holiday period.

Fraudsters send emails appearing to come from Docusign with authentic-looking branding and footers, but these messages originate from suspicious domains like jritech.shop rather than legitimate Docusign servers.

Docusign lure email (Source - Forcepoint)
Docusign lure email (Source – Forcepoint)

The emails reference fake Christmas-themed documents such as wine orders, creating a sense of legitimacy that encourages quick clicks without verification.

When users click the Review Document button, they are redirected through multiple hosting platforms including Fastly, Glitch, and Surge.sh before landing on credential harvesting pages designed to steal corporate email logins.

Forcepoint analysts identified this sophisticated threat chain during their X-Labs research in late December, tracking how the attacks are structured and discovering the supporting infrastructure that enables the fraud.

Credential harvesting page (Source - Forcepoint)
Credential harvesting page (Source – Forcepoint)

The researchers noted that the second wave of the campaign introduces a separate but complementary attack vector targeting personal financial information rather than corporate credentials.

These holiday loan spam emails promise quick cash, low interest rates, and urgent approvals to capture sensitive personal data.

The core attack mechanism involves a multi-stage identity theft questionnaire hosted on christmasscheercash.com that walks victims through a deceptive data collection process.

Xmas Loan Offer (Source - Forcepoint)
Xmas Loan Offer (Source – Forcepoint)

The form begins innocuously by asking how much money the victim needs, with options ranging from 100 to 50,000 dollars.

It then gradually progresses to requesting basic information like name, email, and phone number, which appears normal for any loan application.

The questionnaire continues by asking about home ownership, vehicle ownership, employer details, and income information, maintaining the facade of legitimacy throughout this phase.

Bank detail harvesting (Source - Forcepoint)
Bank detail harvesting (Source – Forcepoint)

However, the true objective becomes clear in the final stages when the form requests complete banking information. Victims are asked to provide routing numbers, account numbers, and other sensitive details under the pretense of depositing loan funds.

After submission, users are redirected to additional fraud sites like thepersonalfinanceguide.com, which request the same information again and expose victims to endless loan offer spam.

This handoff pattern is standard in identity theft ecosystems designed to maximize data capture and monetization across multiple fraudulent platforms.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitphishingThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

New macOS TCC Bypass Vulnerability Allow Attackers to Access Sensitive User Data

Next Post

New Tool to Remove Copilot, Recall and Other AI Tools From Windows 11

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us