Stolen DocuSign customer emails used for phishing attacks.
Stolen DocuSign customer emails used for phishing attacks.

Threat actors are using stolen DocuSign customer emails in a phishing campaign to spread malicious Word Documents.

DocuSign said in a May 15 statement, “today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email."

The company, which offers e-signature solutions, said that only email addresses were compromised and that all other customer information remains secure. Officials said they took immediate action to prohibit unauthorized access to this system and have put more security controls in place to prevent future compromises.

The company recommends users delete any emails with the subject line, “Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature.”

Furthermore users should forward any suspicious emails related to DocuSign to spam@docusign.com and then delete them from their devices, particularly when they don't recognize the sender, weren't expecting a document to sign, the document contains misspellings, or redirects users to suspicious links.

Users should also ensure all their systems have been updated. The majority of people who deal with signing documents digitally should already be on their toes, Tripwire Senior Security Research Engineer Travis Smith told SC Media.

“Anyone who deals with unsolicited documents on a regular basis should already be well versed in validating the document with the sender before opening, however it's easy to get into a routine and let your guard down,” Smith said. “Knowing that the breach has occurred and this may be a potential attack vector is a good reminder to raise your guard back up and keep a watchful eye on any suspicious documents coming across your email.”  

He  added, that there should be out-of-band communication going on both before and after the documents are sent for signature making it easier to dismiss fraudulent claims.   

“The DocuSign breach reinforces one big thing: It's not just the big fish being targeted in phishing campaigns, it's pretty much anyone with an email address,” Varonis Technical Evangelist Brian Vecci told SC Media. “While you might not have a trove of emails about a U.S. Presidential campaign or access to a cache of classified files, you have something else that hackers want – family vacation photos, your sister's wedding video, your electronic financial documents.”

Vecci noted that users should check the website "Have I been pwned" to see if their email address was compromised in this or another incident. 

“The cost associated with phishing campaigns has gone down over the past year – making it easier than ever to launch a phishing campaign due to the availability inexpensive servers and DIY kits, Ajay Uggirala, director of product marketing at Imperva, told SC Media. “As we see in this attack, even the most tech savvy companies and users can fall victim to phishing.”

This means that users can't remain complacent when it comes to user training and awareness and that they should remember that it they aren't completely sure that the email is genuine, users should check their IT Teams first.