DocuSign Breach

DocuSign Breach Leads to Targeted Email Malware Campaign

DocuSign, a major provider of electronic signature technology, acknowledged that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems. 

The company stresses that the data stolen was limited to customer and user email addresses, but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign.

The information was enough to allow attackers to craft specially targeted e-mail campaigns at users featuring doctored branding and headers that make messages appear to contain legitimate DocuSign attachments. Many of the phishing e-mails contains the following in the header: “Completed: – Wire Transfer Instructions for recipient-name Document Ready for Signature.” The message contained a link to a downloadable Microsoft Word document that harbored malware.

DocuSign recommends anyone receiving the suspicious e-mails to forward them to the company at and then delete the message.

The company also said that an easy way to spot a potentially malicious message is to look for any slight misspellings, especially in the "DocuSign" company name. And, as a reminder, DocuSign is also recommending that users take this opportunity to make sure that their antivirus software is running and up to date. 

If you have reason to expect a DocuSign document via email, don’t respond to an email that looks like it’s from DocuSign by clicking a link in the message. When in doubt, access your documents directly by visiting, and entering the unique security code included at the bottom of every legitimate DocuSign email. DocuSign says it will never ask recipients to open a PDF, Office document or ZIP file in an email.

DocuSign was already a perennial target for phishers and malware writers, but this incident is likely to intensify attacks against its users and customers. DocuSign says it has more than 100 million users, and it seems all but certain that the criminals who stole the company’s customer email list are going to be putting it to nefarious use for some time to come.

Sources: Krebs on Security, Redmond Magazine