I noticed today that Defender and Exchange security are soft deleting legitimate emails from Docusign, even though they pass SPF checks. It seems that these tools are mistakenly flagging Docusign domains as suspicious. Given that spoofing Docusign emails is a common phishing tactic, I see the concern, but this feels excessive. I've had to restore over 50 valid Docusign emails for users, which is a significant increase compared to what I've dealt with in the past. Has anyone else experienced this issue? What could be causing it?
4 Answers
Classic Defender behavior! Docusign is often spoofed, so it makes sense they tightened their filters, but it’s frustrating to see legit emails caught in the crossfire. You might want to check if there was a recent update to your anti-phishing policy or adjust the impersonation detection settings. Adding Docusign’s sending domains to your allow list could also help in the meantime.
I've had similar issues with Docusign emails being marked as phishing due to the domain changes. My security tool flagged them because they were sent from docusign.net instead of the more familiar docusign.com. I read that ICANN updated the docusign.net domain recently, so that might have triggered the red flags with email security.
I dealt with this a couple of months ago. My email security flagged nearly all Docusign messages as malicious. It seems like they get used in a lot of phishing attempts, making it hard for these tools to differentiate between real and fake emails.
Yep, I noticed this too. Right from today, my security tool flagged Docusign support URLs as phishing. It seems like just a glitch with their latest update.
Absolutely, it seemed that way for a lot of emails. They must not have fully updated their detection criteria.