Cyber Incident Victim: DocuSign

On May 9, 2017, DocuSign disclosed it was tracking a malicious email campaign impersonating its services, with subject lines referencing wire transfer instructions and documents ready for signature. These emails contained links to malware-laden Microsoft Word documents. Initially, DocuSign stated the messages originated from a malicious third party misusing its branding but were unrelated to its systems. Subsequent investigation revealed the campaign stemmed from a breach where attackers gained temporary access to a non-core DocuSign system used for sending service-related email announcements. The compromise enabled theft of customer and user email addresses but did not extend to names, physical addresses, passwords, Social Security numbers, credit card data, or customer document content. DocuSign confirmed its core eSignature service, envelopes, and document repositories remained secure throughout the incident.

Following forensic analysis, DocuSign alerted customers that the stolen email addresses facilitated highly targeted phishing attempts, exploiting trust in expected DocuSign communications. The company advised recipients to scrutinize emails for anomalies such as unrecognized senders, unexpected documents, misspellings (e.g., “docusgn.com” or “@docus.com”), attachments, or links deviating from legitimate docusign.com or docusign.net domains. It recommended forwarding suspicious emails to [email protected] before deletion and emphasized that authentic DocuSign emails never require opening PDFs, Office files, or ZIP archives. Users expecting documents were instructed to bypass email links entirely, instead accessing materials directly via docusign.com using unique security codes embedded in legitimate correspondence. The breach amplified existing phishing risks for DocuSign’s 100 million users, as attackers leveraged validated email lists to enhance credibility, ensuring prolonged exploitation potential.