The DocuSign Impersonation Wave with Real-Time Customizable LogoKit

Group-IB reports a wave of DocuSign-impersonation phishing since late August 2025 that uses LogoKit to dynamically morph pages to match target organizations, hosts credential-harvesting pages on IPFS or AWS S3, and leverages spoofed headers and recipient-specific URLs to steal credentials; the report includes IOCs (IP addresses, subject pattern) and describes detection and blocking via multi-layer Business Email Protection and Time-of-Click analysis.