Alert: New Phishing Campaign Observed

DocuSign has observed a new phishing campaign with malicious attachments pushing spoofed DocuSign documents that is exploiting the U.S. election. This malspam phishing technique is not spoofing DocuSign envelope emails.

The emails are coming from a variety of email addresses with no consistency in subject line.

The emails have been observed to come as thread replies, and contain a zip attachment named ElectionInterference_[8 to 9 digits].zip. The email wants recipients to open the document and read about "election interference". Once the zip file is extracted, there is an Excel spreadsheet that spoofs that it is a secure DocuSign file, stating, "This document is encrypted by DocuSign Protect Service." Users are instructed to allow macros to decrypt the document which downloads a malicious payload and further links to compromised sites. The URL for the payload is encoded in a cell of a Cryillic-named sheet “Лист3”.

These emails are not sent from DocuSign. Do not download the attachments in these emails, instead please forward them to and then delete the email immediately.

For more information on how to spot phishing, please see our Combating Phishing white paper.