docusign phishes

DocuSign Phishing Campaigns: What to Know Before You Sign on the Line

June 1, 2017 | By

— Updated June 8, 2017 —

Over the last few weeks, there have been several phishing attacks that use fake DocuSign branding to try to trick users into downloading malicious attachments (Word docs) that can transmit malware. These DocuSign phishes have been quite convincing and sophisticated, similar to the Google Drive attacks that we saw a few weeks back.

Here’s what you need to know to stay safe from these phishes.

What The DocuSign Phishes Look Like

There have been three distinct campaigns so far. These include:

  • A wire transfer document
  • An accounting invoice
  • A legal acknowledgement

Of course, all three are fraudulent, but they look quite real. DocuSign recently had their user database stolen, so these emails are going out to folks who already use DocuSign and who wouldn’t necessarily be shocked to find emails like the ones described above in their inboxes. Similar to the Google Drive phish, this one is convincing because it plays on expectations around normal, everyday activities for many working professionals.

As we mentioned, if you do click on a link in one of these emails, it will download a Word document that contains malicious macros. These macros are able to execute Hancitor, which is a popular fileless malware dropper. If your computer allows macros, Hancitor can download and install Pony, which is a program that is capable of stealing information and communicating with the bad guys who sent it.

The DocuSign breach was pretty large from what we can tell—meaning a large portion of their customer base was stolen—but so far the emails described above have gone to small subsets of the compromised accounts. This makes it likely that they are continuing to test out approaches and find out where they are most successful. We expect to see more DocuSign phishes in the coming weeks and months for this reason.

***Update June 7, 2017***

We have now seen a few of these DocuSign phishes in the wild, and in addition to malicious attachments, we are also seeing some credential phishing. This is when attackers attempt to convince you that you are visiting the website of a service you use and ask you to enter your credentials (username and password). If you do so, your information will be stolen and often used for nefarious purposes (to steal more data, target other users, or launch new attacks.)

Here is what one of the attacks looked like (note the fraudulent web address — this is NOT from DocuSign.)

DocuSign phish in the wild

***End update June 8, 2017***

What to Do About the DocuSign Phishes

DocuSign is maintaining an updated security information center here. Beyond that, there are a few key steps you can take to make sure that neither you nor anyone in your organization falls victim to the DocuSign phishes—and to make sure that, even if an errant click does take place, the malware is not able to take down your network.

Exercise Caution

First of all, if you are a DocuSign user, be extra cautious of any emails that purport to come from them. And if you are an IT administrator or in charge of security for your organization, make sure to conduct phishing awareness training that explains to your employees what to look for and how to steer clear of fake DocuSign emails in particular.

We are seeing that most of these emails come from misspelled and wrong email addresses, like “” (“vs or similar”) Remember that Docusign would never send an email from a domain other than  Here are some other good tips to spot phishing and limit the fallout.

Set up a Phish Reporting Protocol

If your organization does not already have a plan in place for what to do when employees spot a potential phish, now is a good time to set that up. You’ll want to make sure each and every employee not only knows what to look for but also knows who to contact if something suspicious does come through.

If your team uses Slack, Hipchat, or another internal messaging system, that may be a good way for folks to report potential phishes. Otherwise, you can have them email IT directly or set up a special inbox for employees to forward the suspicious emails to (just make sure you check it frequently!)  It’s a good idea to make clear to employees that, one report of a phish can save the entire organization from being hit.

Use DNS-Based Malware Protection

No matter how good your user education program is, someone’s going to click on something malicious at some point. This is why, in addition to the steps outlined above, you should use DNS-based malware protection to limit the possible damage that an infection can do to your network.

Many types of malware that are spread by phishing have changing signatures, so they cannot easily be tracked or caught using signature-based security solutions like firewalls and antivirus (not to mention that emails slip right through these by nature!)

Instead, you want to use a DNS-based security solution like Strongarm that is able to monitor threat feeds in real-time, identify malicious communications based on DNS (not ever-changing signatures) and prevent malware from spreading by taking control of it and quickly identifying the victim machines.

Strongarm also offers a customizable block page that IT admins can use to inform their users when they click on a potentially malicious link and direct them to take action (by reporting the phish) before the network is compromised.

To learn more about how Strongarm’s DNS-based security solution can help you stay safe from phishing attacks like DocuSign, visit our How it Works page.

When you’re ready to protect your organization from phishing attacks, you can try Strongarm free for 30 days.

Try it Free