Docusign breach leads to uptick in phishing messages

May 16, 2017

Per a report from Brian Krebs:

DocuSign, a major provider of electronic signature technology, acknowledged today that a series of recent malware phishing attacks targeting its customers and users was the result of a data breach at one of its computer systems. The company stresses that the data stolen was limited to customer and user email addresses, but the incident is especially dangerous because it allows attackers to target users who may already be expecting to click on links in emails from DocuSign.

Per their blog, DocuSign confirmed the access as well as the type of data exposed:

A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

Our concern is that the data will be used for phishing attacks against Docusign customers and users.  As Krebs notes, the incident is dangerous, because you might be expecting an email from DocuSign about a needed signature.

While we have not seen reports of this attack impacting Duke users, we did want to make sure that you were aware of the danger to pass along the information to your communities.

A sample message is available via the Krebs link, and you should be on the lookout for messages that have the following characteristics, as they could link to a Microsoft Word document with malware:

“Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature”

“Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”.

Please contact about any email messages you are concerned about.