Americas, Breach, Content

DocuSign Phishing Attack: Only Email Addresses Were Accessed

DocuSign, an electronic signature technology provider, recently confirmed a malicious third party launched a phishing attack to gain temporary access to a non-core system used for service-related announcements.

A forensic analysis revealed only a list of email addresses was accessed during the phishing attack, according to DocuSign. However, DocuSign has not yet confirmed the number of emails that were accessed.

The analysis also showed no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed, DocuSign said.

Furthermore, no content or any customer documents sent through DocuSign's eSignature system were accessed, the company pointed out.

DocuSign Phishing Attack: A Closer Look

DocuSign this month detected an increase in phishing emails sent to some of its users. These emails "spoofed" the DocuSign brand, the company indicated, in an attempt to trick recipients into opening an attached Word document that would install malicious software.

The company posted alerts on the DocuSign Trust Center and in social media to inform users about the phishing emails, according to DocuSign.

Now, the DocuSign eSignature service, envelopes and customer documents remain secure, the company stated.

"We have no evidence that there is any impact to any instance of DocuSign," DocuSign noted in a prepared statement.

DocuSign Phishing Attack: Fallout

DocuSign is actively communicating about the phishing attack via the DocuSign Trust Center and posting updates across its website and social media channels, according to the company. It also is working on direct customer outreach.

In addition, DocuSign has "taken immediate action to prohibit unauthorized access to  system ... put further security controls in place and  working with law enforcement agencies," the company said in a prepared statement.

DocuSign Email and System Security Tips

DocuSign has offered the following email and system security tips to those who may have been affected by the phishing attack:

  • Delete any emails with the following subject line: "Completed: – Wire transfer for recipient-name Document Ready for Signature” and “Completed – Accounting Invoice Document Ready for Signature."
  • Forward any suspicious emails related to DocuSign to [email protected]. Then, delete these emails.
  • Ensure your antivirus software is up to date.

Moreover, cloud-based email security company The Email Laundry has provided the following tips to protect businesses against phishing attacks:

  • Implement email security best practices. Never send out personal information from an unsecured email and ensure all email is encrypted.
  • Train your employees. Teach employees how to identify and address phishing attacks.
  • Use an email security company. An email security service can help companies limit the amount of spam and phishing emails that reach employee inboxes.

Many email security service providers are available, The Email Laundry CEO Ken Bagnall said in a prepared statement.

As such, companies that work with an email security service provider may be better equipped than others to reduce the risk of falling victim to a phishing attack, Bagnall indicated.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.