2025 Holiday Scams: Docusign Phishing Meets Loan Spam

Dec. 23, 2025, 5:50 p.m.

Description

During the holiday season, threat actors exploit overloaded inboxes and financial stress through two main patterns: Docusign-themed phishing for corporate credential harvesting and loan offer spam for personal data theft. The Docusign campaign uses spoofed emails with authentic-looking branding, redirecting through disposable hosting platforms to a credential harvesting page. The loan scams range from obvious 'Xmas loan' offers to sophisticated marketing-style emails, ultimately leading victims to a detailed identity theft questionnaire on christmasscheercash.com. Both scams utilize seasonal themes and mimic normal end-of-year workflows to increase effectiveness. Defensive measures include verifying sender domains, validating link destinations, and treating unsolicited loan offers as high risk.

External References

https://www.forcepoint.com/blog/x-labs/docusign-phishing-holiday-loan-spam
https://otx.alienvault.com/pulse/694ab098b6e9cfd598b40867
Tags
phishing
credential harvesting
identity theft
docusign
holiday-themed
email security
2025-12-23
loan scams

Date

  • Created: Dec. 23, 2025, 3:09 p.m.
  • Published: Dec. 23, 2025, 3:09 p.m.
  • Modified: Dec. 23, 2025, 5:50 p.m.

Indicators

  • www.christmasscheercash.com
  • http://track.trust-text.com/index.php/campaigns/xo229otmwcfc8/track-url/ce474wg53d927/c029686d838a3ad3d65826c7e7bddcf3b6e32062There
  • http://www.christmasscheercash.com/?id=5FfbxodhySi_D1TNJ-PpNRzZGFRGN7K_peJxXJjmuIA.&subId=ce474wg53d927Hxxps://go.thepersonalfinanceguide.com/https://webr-db.global.ssl.fastly.net/qi/exc.htmlSender
Download all indicators here!

Attack Patterns

Additional Informations

  • thepersonalfinanceguide.com
  • christmasscheercash.com
  • trust-text.com
  • financier.com
  • track.trust-text.com
  • go.thepersonalfinanceguide.com
  • jritech.shop