Fake board-observer onboarding lure — "Welcome aboard, please sign DocuSign" to a non-existent board observer role; targets exec-adjacent staff (CFO, GC, board secretary, exec-assistant) who can't easily verify the appointment. Lookalike DocuSign / AdobeSign envelopes harvest exec-credentials and signing keys (DocuSign auth → access to all signed envelopes for the org). Sender NOT on the e-sign canonical allowlist (docusign.net / .com, adobesign.com, adobe.com, echosign.com, hellosign.com, dropbox.com, pandadoc.com, signnow.com, signrequest.com, oneflow.com, eversign.com, rightsignature.com). Distinct from R7 slow-burn-BEC and R7 estate-finance-extension — this signal is specifically the board-observer onboarding pretext, a fresh corporate-roleplay vector exploiting early-stage / startup governance churn (board observers are common at Series A-C; their onboarding rarely involves the wider company). Source: Red-Team R8 multi-agent council S2 (social-engineering specialist).

Fake board-observer onboarding lure targeting exec-adjacent staff (CFO, GC / general counsel, board secretary, executive assistants, founders + co-founders at early-stage / startup companies) who can't easily verify a board-observer appointment. The phish narrative arrives as: "Welcome aboard as a board observer. Please review and sign the attached DocuSign envelope within 48 hours to complete your board-observer onboarding. The board secretary requires your e-signature on the observer agreement," or "Welcome to the board as a non-voting observer. Please complete the AdobeSign onboarding envelope (NDA + observer agreement) within 24 hours. Sign now to activate your board-observer credentials and access the secure board portal." Lookalike DocuSign / AdobeSign envelopes harvest exec-credentials and signing keys (DocuSign / AdobeSign auth → access to all signed envelopes for the org → exfil of past employment contracts, M&A NDAs, fund-raising docs, IP-assignment agreements). Real board observers are appointed by the company secretary or board chair through a verifiable in-person or video-call introduction; their onboarding paperwork flows through known counsel + the company's standard cap-table software (Carta, Pulley, AngelList Stack, Shareworks), never via a single inbound email demanding signature on a deadline. Sender NOT on the e-sign canonical allowlist (docusign.net / .com, adobesign.com, adobe.com, echosign.com, hellosign.com, dropbox.com, pandadoc.com, signnow.com, signrequest.com, oneflow.com, eversign.com, rightsignature.com, regional DocuSign domains: eu.docusign.net, na2/3/4.docusign.net). Distinct from R7 slow-burn-BEC (multi-week relationship build) and R7 estate-finance-extension (bereavement-followup) — this signal is specifically the board-observer onboarding pretext, a fresh corporate-roleplay vector exploiting early-stage / startup governance churn (board observers are common at Series A-C; their onboarding rarely involves the wider company, so the spoof bypasses normal "is this person real?" verification). Fires when body references board (observer/observer role/observer seat/observer agreement/observer credentials/observer onboarding) / non-voting observer / observer (agreement/NDA/onboarding) AND DocuSign / AdobeSign / HelloSign / SignNow / PandaDoc / envelope / e-sign / electronic signature / e-signature / sign the (attached) (envelope/document/NDA/agreement) AND welcome aboard / welcome to the board / onboarding / complete (your) (onboarding/sign-up/enrollment) / sign (now/within/the attached) / review and sign / please sign / activate (your) (credentials/access/account) / within N hours-days / 24 hours / 48 hours urgency. Excludes the canonical e-sign domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R8 multi-agent council S2 (social-engineering specialist).