- Last week, DocuSign warned users to be wary of unexpected emails with a certain subject line.
- This week, the company shares more details, including the fact that the third party responsible for the email was able to access DocuSign customer email addresses (but nothing else, the company says).
Did you get a DocuSign agreement sent to you lately that didn’t quite look right — and that had a Word document attached for download?
If you downloaded that document, then you could have installed malicious software onto your device.
A week ago, the company posted a note in its Trust Center about the campaign. It warned users to be wary of unexpected emails with the subject line “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature” and including a Word document for download.
The invitation to download the document was “designed to trick the recipient into running what’s known as macro-enabled-malware,” said DocuSign in the post.
What’s the ‘malicious campaign’?
A valid DocuSign email will invite the recipient to view and sign a PDF through the company’s secure platform rather than attach a document download — but this campaign is targeting actual DocuSign customers, and many of them might not hesitate to download a document from a company they think they know.
DocuSign noted in its Trust Center that the emails are sent from email addresses not related to DocuSign — for example, “email@example.com.” “Legitimate DocuSign signing emails come from @docusign.com or @docusign.net email addresses,” the company added.
Earlier this week, DocuSign said that it “confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email.”
This is how that third party was able to get a hold of some DocuSign customer email addresses; the company says that’s all the hackers got, though. “No names, physical addresses, passwords, social security numbers, credit card data or other information was accessed,” it stated. “No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.”
How can you protect yourself?
First, err on the side of suspicion. Are you expecting a document to examine or sign? No? Then be extra alert.
Next, look at the sender and the subject line. — if the email address domain says anything other than @docusign.com or @docusign.net, this could be part of the malicious campaign.
And if the subject line says “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” or “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature” — delete those emails; they didn’t come from DocuSign.
If the link inside the document directs you somewhere other than a www.docusign.com or a www.docusign.net domain — that’s not right.
DocuSign also suggests that all users ensure their anti-virus software is updated (and enabled) and offers a phishing white paper as a resource.