DocuSign has observed a new phishing campaign in which malicious URLs are being hidden in fake/imitation DocuSign-themed emails.

The emails have been spoofed to appear to be sent from dse@docusign[.]net or dse@docusign[.]com. These emails did not originate from our legitimate DocuSign email servers. They contain the following subject line:

• “Re: Document to Sign and Complete”

The emails contain a link to a phishing page that is hosted on the following domain:

• hxxps://ipfs[.]fleek[.]co/ipfs/<ID of letters and numbers>/

DocuSign does not use this service. Please treat any DocuSign-themed emails with a link to “ipfs[.]fleek[.]co” as phishing.

Do not click on any email or attachment links from unknown or untrusted senders. All customers are reminded that they should continue their own due diligence and identify and report to DocuSign any suspicious emails using legitimate DocuSign accounts and technology (securityaccountabuse@docusign.com), as well as suspicious emails spoofing the DocuSign brand (spam@docusign.com). Customers should also continue to utilize their own organization’s security tools to investigate potentially malicious documents, links and notifications.

For more information on how to spot phishing, please see our Combating Phishing and Protecting Your Organization Against DocuSign Brand Impersonation white papers.