216.73.217.22

2025 Holiday Scams: Docusign Phishing Meets Loan Spam

· Published 23/12/2025 15:09 · Modified 23/12/2025 17:50

Export JSON

Essential information

Published
23/12/2025 15:09
Modified
23/12/2025 17:50
Tags
2025-12-23 credential harvesting docusign email security holiday-themed identity theft loan scams phishing
Related entities
3 observables, 7 techniques (mitre), 7 others

Description

During the holiday season, threat actors exploit overloaded inboxes and financial stress through two main patterns: -themed for corporate and loan offer spam for personal data theft. The campaign uses spoofed emails with authentic-looking branding, redirecting through disposable hosting platforms to a page. The range from obvious 'Xmas loan' offers to sophisticated marketing-style emails, ultimately leading victims to a detailed questionnaire on christmasscheercash.com. Both scams utilize seasonal themes and mimic normal end-of-year workflows to increase effectiveness. Defensive measures include verifying sender domains, validating link destinations, and treating unsolicited loan offers as high risk.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (3)

  • www.christmasscheercash.com
  • http://track.trust-text.com/index.php/campaigns/xo229otmwcfc8/track-url/ce474wg53d927/c029686d838a3ad3d65826c7e7bddcf3b6e32062There
  • http://www.christmasscheercash.com/?id=5FfbxodhySi_D1TNJ-PpNRzZGFRGN7K_peJxXJjmuIA.&subId=ce474wg53d927Hxxps://go.thepersonalfinanceguide.com/https://webr-db.global.ssl.fastly.net/qi/exc.htmlSender

Techniques (MITRE) (7)

Others (7)

  • thepersonalfinanceguide.com
  • christmasscheercash.com
  • trust-text.com
  • financier.com
  • track.trust-text.com
  • go.thepersonalfinanceguide.com
  • jritech.shop

External references