The DocuSign CLM and CLM.CM September 22.7 Product Release will be deployed to the UAT environment on Thursday, September 1, 2022 between 8:00 PM and 11:00 PM, US Central Time. We do not anticipate any impact to platform availability or access during this time.

Announcements for this upcoming release can be found on the DocuSign Support Center. Please continue to check the Support Center for enhancements and fixes that will be posted before UAT deployment. 

Please contact Technical Support if you have any questions.

DocuSign continues to track large-scale phishing campaigns with two known attack vectors. 

One vector is through improper use of DocuSign accounts in which malicious URLs are hidden within actual DocuSign envelope documents.

The sender email addresses associated with this activity are typically from public domains such as email[.]com, mail[.]com, workmail[.]com, linuxmail[.] or co[.]za. 

Email subject line theme examples:

• Bank Confirmation
• Grant Payment
• Payment Information
• New Invoice
• Shared Proposed Document from [name]
• Proposal from [name]
• Shared Document Online
• Loan Confirmation

Report improper use of DocuSign accounts directly through the envelope email notification Report Abuse link or by sending an email to securityaccountabuse@docusign.com.

The second vector is through imitation of DocuSign, spoofing dse@docusign.net to trick the recipient into believing it is an email from DocuSign.

Bad actors are reusing a valid security code in a convincing copy of DocuSign’s email notification that they then link to a phishing URL through the text link intended to review envelope documents. This activity is not coming from a DocuSign account.
The sender email address is spoofed to imitate a DocuSign email address (dse@docusign.net). 

Email subject line theme examples:

• settlement agreement
• completed
• [name] sent you an important document
• closing statement/wiring instructions
• order form
• updated contract agreement
• completed: please docusign
• complete: please review

If you are unsure whether or not you received an imitation DocuSign email fitting this attack vector we recommend reviewing the activity in your DocuSign account for documents matching the email notification.
Report imitation of DocuSign to spam@docusign.com. 

For more information on how to spot phishing, please see our Combating Phishing and Protecting Your Organization Against DocuSign Brand Impersonation white papers.

The following changes were made to the subprocessor list for DocuSign CLM:

• Added Microsoft Azure as a data hosting provider for new accounts provisioned in Australia and Canada and updated Germany and Netherlands locations to the EU.
• Removed Oya as a subprocessor.

Please contact privacy@docusign.com if you have any questions regarding this update. 

On Monday, July 25 2022, @8:00 PM CST, DocuSign CLM/SpringCM will be performing a CLM public wildcard certificate renewal for springcm.com and springcm.net domains in our UAT environment.

On Monday, August 1 2022, @8:00 PM CST, we will be performing the same exercise in our PROD environment.

Find the *.springcm.com public certificate here.

Find the *.springcm.net public certificate here.

[June 6, 2022, 13:50 PDT] This scheduled maintenance will be delayed. Updated information on timing will be posted in a new Trust Center Alert here.

The DocuSign CLM Technology Team will be conducting scheduled maintenance on the following dates and times for the following environments:

June 10, 2022 9:00pm CEST - June 11, 2022 12:00am CEST: CLM EU21 Production
 
During this time customers on the affected instances may experience moments of brief inaccessibility to their account.

Please contact DocuSign CLM Technical Support with any questions.