Docusign has observed a new phishing campaign that contains Docusign themed messages with Google URLs linking to downloadable Microsoft Office files that contain malicious URLs. This malspam phishing technique is spoofing DocuSign envelope emails.

The emails are seen to be sent from spoofed senders such as, “Docusign Signature and Invoice," "Docusign Signature," "Docusign Signature and Invoice Service," "Docusign Electronic Signature Service" or "Docusign Electronic Signature and Invoice".

The emails have been observed to have many closely related subject lines including:" You got invoice from Docusign Electronic Service," " You got invoice from Docusign Electronic Signature Service," “You received invoice from Docusign Signature Service,” and “You received notification from Docusign Electronic Signature Service”.

C2 sites include:

• summervillesouthernsmiles.com/f44.exe

• theriond.com/8/forum.php

• edisrictisirs.ru/8/forum.php

• brankinsto.ru/8/forum.php

• cussoricti.com

These emails are not sent from Docusign. Do not click on the link in these emails, instead please forward them to spam@docusign.com and then delete the email immediately.

For more information on how to spot phishing, please see our Combating Phishing white paper.