Phishing emails impersonating electronic signature technology provider DocuSign are not an unusual sight, but the latest campaign has the added advantage of specifically targeting registered DocuSign users.
How is that possible?
As confirmed by the DocuSign, attackers have gained access to a non-core system that the company uses to communicate service-related announcements to users via email, and they swiped a list of customer email addresses.
“A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure,” the company stated.
The explanation comes after two repeated warnings about a DocuSign-themed phishing campaign last week and on Monday.
By their own report, the company has over 200 million users, but they did not say whether email addresses of all of them were compromised in the breach.
Advice from the company
The emails in question hold the following subject lines:
- Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature
- Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature
They contain DocuSign branding in the headers and body of the email, and a link to a Word Document which is designed to trick the recipient into running macro-enabled malware.
“Please remember to be particularly cautious if you receive an invitation to sign or view a Document you are not expecting,” the company noted. They advised to users to forward any suspicious DocuSign-themed email to firstname.lastname@example.org, and then delete it.
Users who are not sure about an email but are afraid to miss an important document can always enter the security code at the end of the email into the docusign.com website, and check it out independently from any link in an email.