2025 Holiday Scams: Docusign Phishing Meets Loan Spam

During Christmas and New Year, threat actors reliably exploit two pressures that peak at the same time: overloaded inboxes and financial stress. Recent X-Labs research shows two holiday-themed patterns that show up together: Docusign-themed phishing designed to harvest corporate credentials and loan offer spam designed to capture sensitive personal and banking data.

At a glance: What we observed

• A Docusign-branded “Review Document” lure sent from jritech[.]shop that routes clicks through disposable hosting (Fastly, Glitch and Surge.sh) before landing on a credential harvesting page
• Multiple loan offer email variants, from obvious “Xmas loan” bait to marketing-style bulk email that looks legitimate at first glance
• A redirect to christmasscheercash[.]com that walks victims through a step-by-step identity theft questionnaire, ending in bank details collection
• Post-submission redirects to additional loan-themed destinations like thepersonalfinanceguide[.]com

Christmas Docusign-themed phishing attack for credential harvesting

This campaign uses spoofed Docusign notification emails sent from the domain jritech[.]shop to lure users into reviewing a fake “completed” Christmas wine order document. The message embeds authentic-looking Docusign branding and footers, but the button links redirect through non-Docusign domains hosted on disposable platforms such as Fastly, Glitch, and Surge.sh.  

These redirects ultimately lead to a credential harvesting page designed to capture corporate email logins. The goal is likely to gain access to business accounts for downstream fraud or BEC activity.

Subject: Complete Document via Docusign: review Christmas wine order transfer 

Fig. 1 - Docusign lure email

Once the user clicks the 'Review Document' button, the click is redirected to infrastructure that is not associated with Docusign. In the sample we reviewed, the button ultimately routes to a Fastly-hosted URL:

hxxps://webr-db[.]global[.]ssl[.]fastly[.]net/qi/exc.html?email= 

Fig. 2 - Credential harvesting page

Docusign phishing indicators: what to look for in “Review Document” emails

These Docusign-themed messages tend to succeed because they match a familiar business workflow. The best defense is to train both people and controls to spot the mismatch between branding and infrastructure.

Suspicious flags observed:

• Sender domain mismatch: .shop TLDs are commonly abused in phishing
• Infrastructure not associated with Docusign: IP belongs (195[.]54[.]161[.]105) to a hosting range, not Docusign infrastructure
• Malicious hyperlinks behind the button: Fastly, Glitch and Surge user-generated hosting domains that are not related to Docusign
• Claims of document completion and urgency that push quick clicks over verification

Practical habit to reinforce: do not trust the button. Validate the destination first, and when in doubt, access documents by navigating directly to the legitimate service.

Holiday loan spam emails: Low-rate bait and reply-to abuse

Loan spam increases during the holidays because it plays on urgency, budgeting anxiety and the hope of quick relief. These emails promise quick cash, low interest rates or urgent approvals, but the real objective is to extract personal information, or route victims into identity theft flows.

If you receive an email offering loans from unknown senders or free mail accounts, do not reply or share your details. Verify the legitimacy of any financial institution through trusted, independent channels.

Examples of holiday loan spam variants 

Fig. 3 - Xmas Loan Offer example

Fig. 4 - Xmas loan example

Common suspicious indicators in these messages

• Legitimate lenders do not cold-email people promising fast loans
• Very low stated interest rates (2–3%) paired with aggressive loan amounts
• Reply-To address does not align with the apparent sender domain (for example hcc.loans@financier[.]com), and financier[.]com appears spam-associated
• Some variants direct victims to a Gmail account, such as cfinancial720@gmail[.]com

In some cases, messages appear to be sent from compromised legitimate domains, which increases believability

Marketing-style loan lures: bulk email that looks legitimate

In the next loan scam variant, the same seasonal themes are delivered in a far more convincing package.

Subject: Seasonal support for the Christmas plans

At a glance, this lure is designed to pass a casual “gut check.” It can look unbranded but clean, without obvious misspellings, without overt urgency phrases like “Limited Time Only!” or “Act Now!” and without explicit promises of ultra-low interest rates. 

Fig. 5 - Marketing-style-lure-email

The email is sent as a bulk marketing campaign, which is often used to help scammers blend into normal marketing traffic and bypass basic spam cues.

Bulk indicators observed:

• Sent via SwiftMailer as shown by the boundary separator: 
  boundary="_=_swift_1765793934_f22d84cd6e328a47b2e4214bbe53742b_=_"
• SwiftMailer is a discontinued PHP library for creating and sending emails, but it has been widely used at scale

The call-to-action also uses a tracking-style marketing URL on the same domain as the sender:

hxxp://track.trust-text[.]com/index.php/campaigns/xo229otmwcfc8/track-url/ce474wg53d927/c029686d838a3ad3d65826c7e7bddcf3b6e32062

There is also an unsubscribe link pointing back to the same trust-text[.]com domain, which further reinforces the “legitimate marketing” look.

ChristmasCheerCash redirect: How the identity theft questionnaire works

When the victim clicks through the marketing-style lure, the redirect chain leads to christmasscheercash[.]com and begins the core phishing activity: structured identity data collection.

Fig. 6 - Holiday loan scam

The flow starts with a harmless-seeming question (loan amount), then quickly transitions into progressively more sensitive identity information: 

Fig. 7  - Starts with basic loan information

Then there are some questions that would be useful for a loan application to make the system seem more legitimate: 

Fig. 8  - More loan application questions

But the flow quickly turns to the important information for identity theft: 

Fig. 9  - Personal information for identity theft

Beyond the screens above, the questionnaire continues with income-related prompts (employer details, salary amount and frequency) and questions about prior loans. These steps are designed to make the process feel like a normal loan application while collecting high-value identity data.

And finally, the flow  zeroes in on the victim’s bank details: 

Fig. 10 - Bank detail harvesting

What happens after submission: Secondary redirects and more loan spam

After the victim submits the form, they are redirected to another similar loan-themed site, thepersonalfinanceguide[.]com, which requests similar information again and includes links to additional spam loan offers (refinancing, student loan forgiveness and more).

This “handoff” pattern is common in identity theft ecosystems: once a victim is willing to provide data, they can be routed across multiple sites to maximize data capture, monetization or both. 

Fig. 11 - Fake personal finance site

How to protect against Docusign phishing and holiday loan spam

These campaigns are effective because they mimic normal end-of-year workflows: reviewing documents, responding to marketing offers and resolving budget gaps. Defense should focus on breaking the chain early.

Recommended defensive actions:

• Treat Docusign-themed emails as untrusted until validated: verify sender domains and validate the destination behind buttons before clicking
• Flag Docusign messages that route through unrelated infrastructure or disposable hosting (Fastly, Glitch, Surge.sh) instead of expected service domains
• Treat loan offers from unknown senders, free mail accounts, or mismatched Reply-To domains as high risk
• Monitor for marketing-style tracking links that pivot into non-marketing outcomes (identity questionnaires, PII capture)

Conclusion:

During the holidays, scammers use seasonal themes to push loan offers and document-review phishing emails. These messages may appear legitimate and avoid obvious spam cues, but subtle red flags include generic formatting, mismatched sender domains, and suspicious redirected links. “Holiday loan” scams attempt to collect personal and financial details for identity theft, while DocuSign-themed attacks seek corporate login credentials for further fraud. Always verify unsolicited messages before clicking links or sharing information. Staying alert helps prevent account compromise and financial loss during this high-risk season.

Protection statement:  

Forcepoint customers are protected against this threat at the following stages of attack:

• Lure – Emails and embedded URLs are blocked by email analytics and web analytics.  
• Redirect – Blocked re-directional URLs which redirects user to phishing pages.

IOCs

URLs:

• http://track[.]trust-text[.]com
• hxxps://www[.]christmasscheercash[.]com/?id=5FfbxodhySi_D1TNJ-PpNRzZGFRGN7K_peJxXJjmuIA.&subId=ce474wg53d927
• Hxxps://go.thepersonalfinanceguide[.]com/
• hxxps://webr-db[.]global[.]ssl[.]fastly[.]net/qi/exc.html
• Sender and Reply-To Suspicious Domains:
• jritech[.]shop
• cfinancial720@gmail[.]com
• financier[.]com
• Marc.Jordon@trust-text[.]com