DocuSign continues to track large-scale phishing campaigns with two known attack vectors. 

One vector is through improper use of DocuSign accounts in which malicious URLs are hidden within actual DocuSign envelope documents.

The sender email addresses associated with this activity are typically from public domains such as email[.]com, mail[.]com, workmail[.]com, linuxmail[.] or co[.]za. 

Email subject line theme examples:

• Bank Confirmation
• Grant Payment
• Payment Information
• New Invoice
• Shared Proposed Document from [name]
• Proposal from [name]
• Shared Document Online
• Loan Confirmation

Report improper use of DocuSign accounts directly through the envelope email notification Report Abuse link or by sending an email to securityaccountabuse@docusign.com.

The second vector is through imitation of DocuSign, spoofing dse@docusign.net to trick the recipient into believing it is an email from DocuSign.

Bad actors are reusing a valid security code in a convincing copy of DocuSign’s email notification that they then link to a phishing URL through the text link intended to review envelope documents. This activity is not coming from a DocuSign account.
The sender email address is spoofed to imitate a DocuSign email address (dse@docusign.net). 

Email subject line theme examples:

• settlement agreement
• completed
• [name] sent you an important document
• closing statement/wiring instructions
• order form
• updated contract agreement
• completed: please docusign
• complete: please review

If you are unsure whether or not you received an imitation DocuSign email fitting this attack vector we recommend reviewing the activity in your DocuSign account for documents matching the email notification.
Report imitation of DocuSign to spam@docusign.com. 

For more information on how to spot phishing, please see our Combating Phishing and Protecting Your Organization Against DocuSign Brand Impersonation white papers.