Security Alert: DocuSign Breach Leads To Phishing Attacks

A recent breach at DocuSign has led to phishing campaigns designed to infect recipients with credential stealing and banking trojans: Pony, EvilPony and ZLoader.

DocuSign is one of the most widely used electronic signature applications with 200+ million users.

As an immediate measure, DocuSign recommends that you delete any email that appears to come from them bearing the following subject lines, which have been used in recent phishing campaigns:

  • Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature
  • Completed: [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature.
  • Subject: “Legal acknowledgment for [recipient username] Document is Ready for Signature”

 These emails contain Microsoft Word attachments that when opened, attempt to trick users into turning on macros—once done they deliver their malicious payloads. However, if you have macros already turned on, you will be immediately infected once you open the Word document.

 Screenshot of one of the emails. Source: DocuSign

 DocuSign Phish Email

You would be well advised to take extreme caution and notify all of your employees. As an added precaution, disable Office Macros.

 

XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions whose systems protect 250+ Petabytes of data with over 800 employees around the globe. Call (845) 362-9675 and let us introduce you to the ultimate defense against data loss—whatever the cause.