Alerts and updates
DocuSign has observed a new phishing campaign that began the morning of March 22nd, 2018 (Pacific Time). The email purports to come from DocuSign using the email addresses firstname.lastname@example.org and email@example.com. The emails all have the subject:
"You have received a secure document"
These emails contain a malicious Word document as an attachment, 9S659EHDCSI72649DS.doc.
These emails are not sent from DocuSign. Do not open the attachment in these emails, instead please forward them to firstname.lastname@example.org and then delete the email immediately.
For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB)
Following industry best practices, DocuSign will end TLSv1.0 support effective June 30, 2018 June 25, 2018. This date aligns with the deadline the PCI Security Standards Council has set for companies that wish to remain PCI Data Security Standard (PCI DSS) compliant. Other leading SaaS vendors, including Salesforce, Box, and PayPal, plan to end support for TLSv1.0 in June.
More information is available here: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
In addition to retiring the insecure TLSv1.0 protocol, we will also remove a set of cipher suites which are no longer considered secure. This includes ciphers such as 3DES along with a few others that have an insufficient key length to securely encrypt communications.
The ciphers to be retired include the following:
TLSv1.0 and these cipher suites are utilized by a small set of customers to support legacy integrations. These integrations will need to be updated to support secure, modern ciphers and is often as easy as recompiling the solution with updated libraries. The PCI Security Standards Council has published detailed guidance for migration from SSL/early TLS. It is available here: www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf
All internet browsers currently supported by DocuSign already default to newer versions of TLS, so this change will go unnoticed by web and mobile users. Please contact DocuSign support with additional questions.
DocuSign has observed a new phishing campaign that began the morning of March 6th, 2018 (Pacific Time). The email purports to come from "DocuSign Electronic Signature and Invoice" using the email addresses email@example.com and firstname.lastname@example.org. The emails all have the subjects:
You received / got invoice from DocuSign Signature Service / DocuSign Electronic Signature Service / DocuSign Service
These emails contain links to a malicious Word document. This emails are not sent from DocuSign. Do not click the links in these emails, instead please forward them to email@example.com and then delete the email immediately.
For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB)
On February 27th, CERT released details about a SAML vulnerability affecting some libraries which may allow an attacker to perform an authentication bypass. More details are available here: https://www.kb.cert.org/vuls/id/475445
Our security and identity teams immediately investigated this issue in our applications and have confirmed that none of our SAML implementations are vulnerable to this attack.
DocuSign has addressed the Spectre and Meltdown vulnerabilities across our service, protecting customers from potential exploitation. Engineering teams have carefully monitored and measured performance during the rollout of these patches and no measurable service degradation has been encountered. Our incident response teams have not seen any indication of attempts to exploit these issues.
If and when additional patches become available from vendors we will use the same strategy to test, measure and deploy to our service. Providing customers with a secure and reliable service is our top priority at DocuSign.
DocuSign has observed a new phishing campaign that began the morning of January 31, 2017 (Pacific Time).
The email purports to come from "Docusign Inc." using the email address firstname.lastname@example.org with the subject “Your document Receipt <numbers> for <name> is ready for signature!”. The email contains a link to a malicious Word document. This email is not sent from DocuSign. Do not click the link in this email, instead please forward it to email@example.com and then delete the email immediately.
For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).
Our security and engineering teams have completed validation testing and have been actively rolling out patches to address the Meltdown and Spectre vulnerabilities across all of our environments. We have taken a methodical approach to remediation using a canary system with telemetry and monitoring as a guide to ensure customers continue to have a stable, performant and secure experience on our platform.
DocuSign has prioritized and remediated devices in a deliberate manner using a risk based approach working diligently over the past week and patching the vast majority of our infrastructure. Next steps are to continue remediation for all remaining devices and as additional vendor patches become available we will continue testing and deploying in the same manner.
Our Incident Response team continuously monitors our systems for any evidence of attempts to exploit vulnerabilities such as 'Spectre' and 'Meltdown' and we have seen no indications of attempts to target our platforms using these vulnerabilities.
On January 4th three information security vulnerabilities were released, CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754, which exploit critical vulnerabilities in modern processors. These hardware bugs, known as Meltdown and Spectre, allow an application unauthorized access to read system memory.
Upon learning of these vulnerabilities, DocuSign initiated incident response procedures to ensure the security of the company’s servers, core systems and online properties. We have reviewed all of our sites and supporting infrastructure to identify systems which require patching. DocuSign’s operations team is actively testing these updates in non-production environments and, once this is complete, will roll these updates out to our production servers.
In addition, DocuSign has identified a number of partners who may be affected by these vulnerabilities and are working closely with them to ensure their systems are updated as quickly as possible.
DocuSign will continue to monitor the status of the situation and provide updates as needed.
For more information, you can reference: https://spectreattack.com/
DocuSign has observed a new phishing campaign that began the morning of December 5th (Pacific Time).
The email comes from Tyrone Boulden (note: this name is likely to change) and was sent from the email address firstname.lastname@example.org (note: this sender may change). The subject of the email will be either “Please DocuSign: Order Form for <domain>” or “Please DocuSign Your Debit Acknowledgement form” and it contains a link to a malicious Word document. Do not click the link in this email, instead please forward it to email@example.com and then delete the email immediately.
For more information on how to spot phishing, please see our Combating Phishing white paper (3.3 MB).
Learn about privacy at DocuSign and the steps we're taking to prepare for the upcoming GDPR.
While many organizations are just now focusing on how to protect customer data to comply with the General Data Protection Regulation (GDPR), DocuSign has already made significant strides, many of which apply to the GDPR:
DocuSign has developed a strong compliance culture and security safeguards, as demonstrated in our ISO 27001 certification.
We actively monitor regulator guidance of GDPR requirements to enhance our efforts, and like many cloud service providers, we are reviewing our data protection program and making adjustments to ensure compliance with the GDPR by May 2018.
DocuSign has also drafted Binding Corporate Rules (BCRs), including privacy codes, and has submitted them with supporting documentation to the supervisory authorities in Europe for approval. Our BCRs will help establish vigorous data protection practices throughout the Company and meet the European standards of data protection processed by DocuSign through our core Signature service.
Only you and individuals authorized by your company have access to your documents. Your personal information stays private – even from DocuSign. There is no greater priority at DocuSign than the privacy and security of our customers’ information, data and documents.
DocuSign has observed a new phishing campaign that began the morning of November 29th (Pacific Time)
The email comes from Alfonzo Copper (note this name is likely to change) and was sent from the email address firstname.lastname@example.org. The subject of the email is “Your Monthly Statement document is ready for signature!” and it contains a link to a malicious Word document. Do not click the link in this email, instead please forward it to email@example.com and then delete the email immediately. For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).
Read about our top pointers to help you stay safe online.
DocuSign uses the latest innovations and industry knowledge to keep our customers safe, but it takes awareness and dedication from everyone involved to reach maximum security.
Remember: online safety starts with you, and you are the first and best line of defense in fighting online fraud. Learning how to identify and steer clear of phishing scams, social engineering attempts, and other types of online fraud is the best way to protect yourself and your information.
Here are a few tips to help get you started:
Create complex, unique passwords and keep them secure – don’t write down or share passwords, and be extra careful when using public or shared computers
Take IT precautions to protect against spam – keep your anti-virus software up-to-date, provide trainings on phishing and fraudulent activities, etc.
Be on the lookout for fraudulent emails and unsafe websites – proceed with caution when accessing unfamiliar emails and websites. Unrecognizable links, bad grammar and misspellings, and fake greetings can all be red flags that indicate a phishing email. For website safety, make sure “https” is in your browser address bar if you are entering any personal information.
Visit our Personal Safeguards page for more safety essentials - including our Combating Phishing white paper (3.3 MB) - to help keep you and the greater online community safe.