Fake DocuSign / eSign document signature phishing — "document awaiting your signature" from non-official domain + click link leads to credential harvesting login + may ask for Microsoft/Google/corporate credentials + real eSign platforms never request credentials via cold email

Credential phishing disguised as an electronic signature request — emails impersonating DocuSign, Adobe Sign, HelloSign, or generic "eSign portals" claim a document is waiting for the recipient's electronic signature and must be reviewed urgently. The link leads to a fake login page that harvests Microsoft 365, Google Workspace, or corporate SSO credentials. Key facts: (1) DocuSign phishing is one of the most common enterprise credential attacks — Proofpoint reports tens of millions of DocuSign-themed phishing emails per month; (2) The sender domain is always a lookalike (docusign-secure.net, adobe-esign-docs.com) — real DocuSign uses @docusign.net only; (3) Some variants explicitly ask the victim to "log in with your corporate Microsoft or Google account" to view the document; (4) After credential theft, attackers use the compromised account for BEC fraud, further phishing, or ransomware deployment; (5) Real DocuSign, Adobe Sign, and HelloSign links go directly to the signing interface — no separate login to a different site is ever required. Warning signs: non-official sender domain, urgency (48-hour expiry), request for Microsoft/Google credentials, company name not recognizable.