DocuSign, a major provider of electronic signature technology based in San Francisco, admitted that a series of recent phishing malware attacks targeting its customers and users was the result of a data breach at one of its computer systems. The company stresses that the data stolen was limited to customer and user email addresses. The incident is especially dangerous, because it allows attackers to target users who may already be expecting emails from DocuSign. This form of attack is known as phishing attempts.

DocuSign warned on May 9 that it was tracking a malicious email campaign where the subject line reads, “Completed: docusign.com – Wire Transfer Instructions for recipient-name Document Ready for Signature.” The email contained a link to a downloadable Microsoft Word document. The attachment contains malware, and tricks users into activating Word’s macro feature, which will download and install malware on the user’s workstation.

The company initially dismissed that the messages were associated with DocuSign and that they were sent from a malicious third party. However, in an update on Monday, DocuSign confirmed that this malicious third party was able to send the messages to DocuSign’s customers and users because it had broken in and stolen their list of customers and users.

“As part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email,” DocuSign wrote in an alert posted to its site. “A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.”

What to look for with this phishing malware attack

They are advising customers to filter or delete any emails with specific subject lines. These email subjects look something like:

  • Completed: [domain name] – “Wire transfer for recipient-name Document Ready for Signature”

  • Completed [domain name/email address] – “Accounting Invoice [Number] Document Ready for Signature”

  • Subject: “Legal acknowledgement for [recipient username] Document is Ready for Signature”

Since the recent newsworthy security breaches, it is becoming critical to educate employees on identifying and handling potential threats.  Bringing awareness is not enough, however. Due to the human factor, many email solutions, whether they are cloud-based or on-premise, integrate with outside email security services. These that filter and quarantine potential threats before they arrive to the email server and even network. QWERTY Concepts, provides email security services for their cloud platform, office 365, and to on-premise email servers. Click here to receive a free consultation and quote.

The company is asking people to forward suspicious emails related to DocuSign to [email protected]