A recent compromise of a system at DocuSign, the electronic document signing vendor, led to a phishing campaign that’s hitting some of the company’s customers right now.
Officials at DocuSign said they had noticed an increase in phishing emails to some customers and users in recent days and began investigating whether the company’s eSignature service had been compromised. The investigation turned up no evidence of a breach of that service, but the company did find that a separate system had been compromised and that attackers had accessed a list of customer email addresses, leading to the current phishing campaigns.
The attackers hit a “non-core system that allows us to communicate service-related announcements to users via email”, the company said in a blog post on the incident.
“A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure,” the post says.
The phishing campaign uses emails that mimic the format of legitimate DocuSign eSignature messages. Some of the subject lines of the phishing emails include: “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”.
The phishing emails include a malicious Word attachment that will install malware on a victim’s machine when it’s opened. The attackers are specifically targeting DocuSign customers, who may be used to getting the confirmation emails or other messages from the company. But the phishing messages will look slightly different and likely come from a sender that’s not familiar to the victim.
“They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like “docusgn.com” without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net,” the company said in its post.
Customers use DocuSign’s service to electronically sign a variety of documents, including sensitive ones such as HR-related documents that contain personally identifiable information, and financial documents.