Alerts and updates

  • Apache issued a security alert on September 5, 2017 for Struts, an open source framework for creating Java web applications.  The component performs unsafe deserialization and could lead to a remote code execution vulnerability.

    DocuSign does not use Apache Struts within our DocuSign services or our Digital Transaction Management platform.

    For more information, you can reference:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805 or https://struts.apache.org/docs/s2-052.html.

  • DocuSign has observed a new phishing campaign that began the morning of September 6th (Pacific Time).

    The email comes from "Warner Amann via DocuSign” (note, this name is subject to change) using the email address [email protected]. The email has the subject “Your Bill 123456 for yourdomain.com Document is Ready for Signature” and it contains a link to a malicious, macro-enabled Word document. This email is not sent from DocuSign. Do not click the link in this email, instead please forward it to [email protected] and then delete the email immediately.

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).

  • DocuSign has observed a new phishing campaign that began the morning of August 28th (Pacific Time).

     The email comes from ""Greg Taylor & Associates, via DocuSign” using the email address [email protected] with the subject “Your document Settlement 123456 is ready for signature!” and it contains a link to a malicious, macro-enabled Word document. This email is not sent from DocuSign. Do not click the link in this email, instead please forward it to [email protected] and then delete the email immediately.

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB)

  • The DocuSign Trust Center is the best source of information regarding alerts or threats to the DocuSign environment. 

    Always leverage official DocuSign channels to ensure information you receive regarding alerts or threats is accurate. For example, we have been alerted that certain companies are using the DocuSign name (coupled with inaccurate information on security threats) to enhance sales of their security products and services. Stay proactively informed on alerts and threats by subscribing to our DocuSign Support Twitter feed #AskDocuSign or find the latest accurate information by visiting us here at https://docusign.com/trust.

  • DocuSign has observed a new phishing campaign that began the morning of August 16th (Pacific Time).

    The email comes from "Danna & Associates PC” using the email address [email protected] with the subject “Your document Invoice 123456 is ready to be signed!” and it contains a link to a malicious, macro-enabled Word document. This email is not sent from DocuSign. Do not click the link in this email, instead please forward it to [email protected] and then delete the email immediately. 

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).

  • DocuSign has observed a new phishing campaign that began the morning of July 18th (Pacific Time).

    The email comes from “Carl Evans” using the email address [email protected] with the subject “Your document Leasing Contract 123 for <recipient_domain> is ready for signature” and it contains a link to a malicious, macro-enabled Word document. This email is not sent from DocuSign. Do not click the link in this email, instead please forward it to [email protected] and then delete the email immediately. 

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).

  • DocuSign has observed a new phishing campaign that began the morning of June 12 (Pacific Time).

    The email comes from William Scott “[email protected]” with the subject “Please review your document Invoice <1234567> for <recipientdomain.com>” and it contains a link to a malicious, macro-enabled Word document. Do not click the link in this email, instead please forward it to [email protected] and then delete the email immediately. For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).

  • If you would like to be automatically informed about the latest security updates and alerts, please follow @askdocusign (DocuSign Support) on Twitter, where we will be posting notifications when the Trust Center is updated.
  • DocuSign has observed a new phishing campaign that began the morning of May 16 (Pacific Time).

    The email comes from “[email protected]” with the subject “Legal acknowledgement for <person> Document is Ready for Signature” and it contains a link to a malicious, macro-enabled Word document. We suggest you do not open this email, but rather delete it immediately.

  • As an update on the malicious phishing incident, we wanted to share some of the most frequent questions that we have been receiving in the past 12 hours. We will continue to update this site with new information as it becomes available.

    Q: What actually happened?

    A:

    • Last week and again yesterday, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts on the DocuSign Trust Center and in social media.
    • The emails “spoofed” the DocuSign brand in an attempt to trick recipients into opening an attached Word document that, when clicked, installs malicious software.
    • As part of our process in routine response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.
    • However, as part of our ongoing investigation, yesterday we confirmed that a malicious third party had gained temporary access to a separate, non-core system used for service-related announcements.
    • A complete forensic analysis has confirmed that only a list of email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

    Q: Is my DocuSign envelope and data secure?

    A: As part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.

    Q: Has my instance of DocuSign been impacted?

    A: We have no evidence that there is any impact to any instance of DocuSign, and as part of our process in response to phishing incidents, we confirmed that DocuSign’s core eSignature service, envelopes and customer documents remain secure.

    Q: What information was impacted?

    A: It was a list of email addresses stored in a separate, non-core system used for service-related announcements.

    Q: Have the email addresses of my employees, customers or customers’ customers been exposed as part of this incident?

    A: As part of our ongoing investigation, we can now confirm that no signers were on the list of email addresses that was accessed maliciously unless they had signed up for a DocuSign account. That could include direct DocuSign customers; someone who signed a document and elected to open a DocuSign account; or someone who signed up for a DocuSign freemium account – via docusign.com, through a partner integration, or via the DocuSign mobile client.

    Q: Do I need to communicate to all of them?

    A: We would encourage you to utilize the existing materials on the DocuSign Trust Center to help your employees, customers or customers’ customers protect themselves from phishing attacks.

    Q: How many people were affected? How many email addresses compromised?

    A: Right now we are still acting on the results of our ongoing investigation and cannot comment on those details.

    Q: What systems were impacted?

    A: As part of our ongoing investigation, we confirmed that a malicious third party had gained temporary access to a separate, non-core system used for service-related announcements.

    Q: Why did we have to hear about it via social media?

    A: We have been actively communicating via the DocuSign Trust Center since last week when we first discovered the increase in phishing emails to customers and users. Then as soon as we saw the increase on Monday this week, we updated the Trust Center and posted updates across our Web site and social media channels. We are also working on direct customer outreach.

    Q: Was any other information impacted outside of my email address?

    A: A complete forensic analysis has confirmed that only a list of email addresses were accessed: no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

    Q: How are you so sure only my email address was impacted?

    A: A complete forensic analysis has confirmed that only a list of email addresses were accessed: no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed. DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.

    Q: What should I do about this?

    A: We recommend taking the following steps to ensure the security of your email and systems:

    • Delete any emails with the subject line, “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”. These emails are not from DocuSign. They were sent by a malicious third party and contain a link to malware spam.
    • Forward any suspicious emails related to DocuSign to [email protected], and then delete them from your computer. They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like ‘@docusgn.com’ without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net.
    • Ensure your anti-virus software is enabled and up to date.
    • Review our whitepaper on phishing available at https://www.docusign.com/sites/default/files/combating_phishing_wp_05082017_0.pdf

    Q: I/one of my employees opened a suspicious email, what should I do?

    A: If possible ensure that they do not click the link and/or install malicious code. We would also recommend continual education and content updates to your internal teams in terms of best practices around phishing. And we recommend taking the following steps to ensure the security of your email and systems:

    • Delete any emails with the subject line, “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature” and “Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”. These emails are not from DocuSign. They were sent by a malicious third party and contain a link to malware spam.
    • Forward any suspicious emails related to DocuSign to [email protected], and then delete them from your computer. They may appear suspicious because you don’t recognize the sender, weren’t expecting a document to sign, contain misspellings (like ‘@docusgn.com’ without an ‘i’ or @docus.com), contain an attachment, or direct you to a link that starts with anything other than https://www.docusign.com or https://www.docusign.net.
    • Review our whitepaper on phishing available at https://www.docusign.com/sites/default/files/combating_phishing_wp_05082017_0.pdf

    Q: What additional steps is DocuSign taking to address this issue?

    A: We have taken immediate action to prohibit unauthorized access to this system, we have put further security controls in place, and are working with law enforcement agencies.

    Q: Is this related to the global ransomware attack of late last week?

    A: No.

  • Recently we’ve seen increased concern and discussion around an exploit released by Shadow Brokers which was acknowledged by Microsoft on March 14th, 2017. This issue involves SMBv1 and how it handles specially crafted requests to a host impacted by this vulnerability.

    This exploit is also being leveraged in the WannaCrypt/WannaCry ransomware campaign which has been in the media recently. You can reference the links below for additional information around this issue:

    https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
    https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
    https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
    https://www.us-cert.gov/ncas/alerts/TA17-132A

    DocuSign takes security related vulnerabilities and issues seriously and as such, we have diligently tracked this issue through this process. MS17-010 was applied as part of our monthly vulnerability management process during the March cycle. All applicable production systems have been patched ahead of the Shadow Brokers release in mid-April. Our Digital Transaction Management platform and supporting systems are not impacted by MS17-010 or the WannaCrypt/WannaCry ransomware. Additionally, all systems are monitored for any suspicious activity.

  • As part of our commitment to updating everyone as we identify new information during our investigation, we can now confirm that only people with a DocuSign account were impacted by this incident – those who signed a document without a DocuSign account were not among the list of email addresses that were accessed maliciously.

    That said, even though an employee or customer of yours would not be on the list unless they had an account with DocuSign, we would still encourage you to utilize the existing materials on the DocuSign Trust Center to help them avoid being the victims of phishing.

    As an update to the frequently-asked questions we originally included below:

    Q: Have the email addresses of my employees, customers or customers’ customers been exposed as part of this incident?
    A: As part of our ongoing investigation, we can now confirm that no signers were on the list of email addresses that was accessed maliciously unless they had signed up for a DocuSign account. That could include direct DocuSign customers; someone who signed a document and elected to open a DocuSign account; or someone who signed up for a DocuSign freemium account – via docusign.com, through a partner integration, or via the DocuSign mobile client.

    Q: Do I need to communicate to all of them?
    A: We would encourage you to utilize the existing materials on the Trust Center to help your employees, customers or customers’ customers protect themselves from phishing attacks.

    As always, please continue to Contact Support or call +1-800-379-9973 with any additional questions. 

Pages