Security Experts:

Data Stolen in DocuSign Breach Used for Email Attacks

Electronic signature technology provider DocuSign informed customers on Monday that they may receive malicious emails after cybercriminals managed to steal email addresses from one of its servers.

DocuSign recently issued a couple of malicious email campaign alerts to warn users of fake emails set up to deliver malware via macro-enabled Word documents.

The fake messages appeared to come from addresses such as [email protected] and [email protected], and they carried the subject line “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature.”

On Monday, DocuSign admitted that the spike in malicious emails was the result of a security breach. According to the company, hackers breached a “non-core system” designed for sending service-related email announcements to users.

The firm said the attackers only accessed email addresses; there was no evidence that names, physical addresses, passwords, social security numbers, payment card data or other information had been compromised.

“No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure,” DocuSign stated.

The company said it locked the attackers out of its systems and rolled out additional security controls. Law enforcement agencies have been notified of the incident.

DocuSign-themed spam campaigns are not uncommon, but having a list of email addresses that are known to belong to the company’s customers increases the likelihood of recipients opening the malicious emails.

DocuSign has advised users to be wary of these malicious emails and forward any suspicious messages to [email protected].

“[The emails] may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like ‘’ without an ‘i’ or, contain an attachment, or direct you to a link that starts with anything other than or,” DocuSign said.

Related Reading: Stolen LinkedIn Data Used in Personalized Email Attacks

Related Reading: 272 Million Email Credentials Discovered in Cybercrime Forum

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.