<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Please note, one of the most important points in this alert is:</p>
<blockquote>
<p><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">If you have reason to expect a DocuSign
document via email, don’t respond to an email that looks like
it’s from DocuSign by clicking a link in the message. When in
doubt, access your documents directly by visiting
<a href="https://www.docusign.com/" target="_blank"><span
style="color:blue">docusign.com</span></a>, and entering
the unique security code included at the bottom of every
legitimate DocuSign email. DocuSign says it will never ask
recipients to open a PDF, Office document or ZIP file in an
email.</span></p>
</blockquote>
<div class="moz-forward-container">There are also several other
excellent tips at the end about avoiding email phishing and
malware.<br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" border="0" cellspacing="0"
cellpadding="0">
<tbody>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap"><br>
</th>
<td><br>
</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap"><br>
</th>
<td><br>
</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap"><br>
</th>
<td><br>
</td>
</tr>
<tr>
<th valign="BASELINE" align="RIGHT" nowrap="nowrap"><br>
</th>
<td><br>
</td>
</tr>
</tbody>
</table>
<div class="WordSection1">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:18.0pt;font-family:"Times New
Roman",serif">Breach at DocuSign Led to Targeted
Email Malware Campaign<o:p></o:p></span></b></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">DocuSign</span></b><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">, a major provider of electronic
signature technology, acknowledged today that a series of
recent malware phishing attacks targeting its customers and
users was the result of a data breach at one of its computer
systems. The company stresses that the data stolen was
limited to customer and user email addresses, but the
incident is especially dangerous because it allows attackers
to target users who may already be expecting to click on
links in emails from DocuSign.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">On San Francisco-based DocuSign warned on
May 9 that it was tracking a malicious email campaign where
the subject line reads, “Completed: docusign.com – Wire
Transfer Instructions for recipient-name Document Ready for
Signature.” The missives contained a link to a downloadable
<b>Microsoft Word</b> document that harbored malware.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><img
style="width:6.0416in;height:5.5833in"
id="Picture_x0020_1"
src="cid:part2.AE2AC745.644D449C@physics.osu.edu" alt="A
typical DocuSign email. Image: DocuSign." class=""
width="580" height="536"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">A typical DocuSign email. Image:
DocuSign.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif;background:yellow;mso-highlight:yellow">The
company said at the time that the messages were not
associated with DocuSign, and that they were sent from a
malicious third-party using DocuSign branding in the headers
and body of the email. But in
<a
href="https://trust.docusign.com/en-us/personal-safeguards/"
target="_blank" moz-do-not-send="true"><span
style="color:blue">an update</span></a> late Monday,
DocuSign confirmed that this malicious third party was able
to send the messages to customers and users because it had
broken in and stolen DocuSign’s list of customers and users.</span><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">“As part of our ongoing investigation,
today we confirmed that a malicious third party had gained
temporary access to a separate, non-core system that allows
us to communicate service-related announcements to users via
email,” DocuSign wrote in an alert posted to its site. “A
complete forensic analysis has confirmed that only email
addresses were accessed; no names, physical addresses,
passwords, social security numbers, credit card data or
other information was accessed. No content or any customer
documents sent through DocuSign’s eSignature system was
accessed; and DocuSign’s core eSignature service, envelopes
and customer documents and data remain secure.”<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">The company is asking people to forward
any suspicious emails related to DocuSign to
<a href="mailto:spam@docusign.com" moz-do-not-send="true">spam@docusign.com</a>,
and then to delete the missives. <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">“They may appear suspicious because you
don’t recognize the sender, weren’t expecting a document to
sign, contain misspellings (like “docusgn.com” without an
‘i’ or @docus.com), contain an attachment, or direct you to
a link that starts with anything other than
<a href="https://www.docusign.com" moz-do-not-send="true">https://www.docusign.com</a>
or <a href="https://www.docusign.net"
moz-do-not-send="true">
https://www.docusign.net</a>,” reads the advisory.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">If you have reason to expect a DocuSign
document via email, don’t respond to an email that looks
like it’s from DocuSign by clicking a link in the message.
When in doubt, access your documents directly by visiting
<a href="https://www.docusign.com/" target="_blank"
moz-do-not-send="true"><span style="color:blue">docusign.com</span></a>,
and entering the unique security code included at the bottom
of every legitimate DocuSign email. DocuSign says it will
never ask recipients to open a PDF, Office document or ZIP
file in an email.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif">DocuSign was already a perennial target
for phishers and malware writers, but this incident is
likely to intensify attacks against its users and customers.
DocuSign says it has more than 100 million users, and it
seems all but certain that the criminals who stole the
company’s customer email list are going to be putting it to
nefarious use for some time to come.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Times New
Roman",serif">This entry was posted on Monday, May
15th, 2017 at 11:34 pm<span style="color:#1F497D"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif;color:black"><a
href="https://krebsonsecurity.com/2017/05/breach-at-docusign-led-to-targeted-email-malware-campaign/"
moz-do-not-send="true">https://krebsonsecurity.com/2017/05/breach-at-docusign-led-to-targeted-email-malware-campaign/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Times New
Roman",serif"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif">______________________________________________________________________________________________________<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:9.0pt;line-height:18.0pt"><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333"> <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in"><span
style="font-size:13.5pt;font-family:maven_pro_bold;color:#333333">Update
5/15/2017 - Malicious Email Campaign<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:9.0pt;line-height:18.0pt"><span
style="font-size:11.5pt;font-family:"Helvetica",sans-serif;color:#333333;background:yellow;mso-highlight:yellow">DocuSign
is tracking a malicious email campaign where the subject
reads:
</span><span
style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:#333333;background:yellow;mso-highlight:yellow">Completed
*company name* - Accounting Invoice *number* Document Ready
for Signature</span><span
style="font-size:11.5pt;font-family:"Helvetica",sans-serif;color:#333333;background:yellow;mso-highlight:yellow">;</span><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333;background:yellow;mso-highlight:yellow">The
email contains a link to a downloadable Word Document which
is designed to trick the recipient into running what’s known
as macro-enabled-malware.</span><span
style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#333333"> </span><span
style="font-size:11.5pt;font-family:"Helvetica",sans-serif;color:#333333"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:9.0pt;line-height:18.0pt"><span
style="font-size:11.5pt;font-family:"Helvetica",sans-serif;color:#333333">These
emails are not associated with DocuSign. They originate from
a malicious third-party using DocuSign branding in the
headers and body of the email. The emails are sent from
non-DocuSign-related domains including
<a href="mailto:dse@docus.com" target="_blank"
moz-do-not-send="true"><span
style="color:#428BCA;text-decoration:none">dse@docus.com</span></a>.
Legitimate DocuSign signing emails come from @docusign.com
or @docusign.net email addresses. <o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:9.0pt;line-height:18.0pt"><span
style="font-size:11.5pt;font-family:"Helvetica",sans-serif;color:#333333">Please
remember to be particularly cautious if you receive an
invitation to sign or view a Document you are not expecting.
If you have received a copy of the above email, DO NOT OPEN
ANY ATTACHMENTS. Instead, forward the email to
<a href="mailto:spam@docusign.com" moz-do-not-send="true">spam@docusign.com</a> and
then immediately delete the email from your system.<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:18.0pt"><span
style="font-size:11.5pt;font-family:"Helvetica",sans-serif;color:#333333">For
further advice on how to recognize malicious emails and how
to protect yourself you can visit our Trust Center here: <a
href="https://trust.docusign.com/en-us/personal-safeguards/fraudulent-email-websites/"
moz-do-not-send="true">https://trust.docusign.com/en-us/personal-safeguards/fraudulent-email-websites/</a> <br>
<br>
As a leader in online eSignature security and compliance,
DocuSign has a zero-tolerance policy for this type of
malicious email and is fully prepared to ensure minimal
impact to our customers and company. As we’ve seen, this
type of malicious activity is becoming more common,
especially to organizations with established, trusted
brands. Please note that this malicious activity has no
relation to any activity DocuSign is involved.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif">___________________________________________________________________________________________<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif;color:black"><a
href="https://trust.docusign.com/en-us/personal-safeguards/"
moz-do-not-send="true">https://trust.docusign.com/en-us/personal-safeguards/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333">Latest
update on malicious email campaign<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333">Last
week and again this morning, DocuSign detected an increase
in phishing emails sent to some of our customers and users –
and we posted alerts here on the <a
href="https://www.docusign.com/trust" target="_blank"
moz-do-not-send="true"><span
style="color:#428BCA;text-decoration:none">DocuSign
Trust Site</span></a> and in social media. The emails
“spoofed” the DocuSign brand in an attempt to trick
recipients into opening an attached Word document that, when
clicked, installs malicious software. <b>As part of our
process in response to phishing incidents, we confirmed
that DocuSign’s core eSignature service, envelopes and
customer documents remain secure. </b><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333">However,
as part of our ongoing investigation, today we confirmed
that a malicious third party had gained temporary access to
a separate, non-core system that allows us to communicate
service-related announcements to users via email. <b>A
complete forensic analysis has confirmed that <u>only</u> email
addresses were accessed; no names, physical addresses,
passwords, social security numbers, credit card data or
other information was accessed. No content or any customer
documents sent through DocuSign’s eSignature system was
accessed; and DocuSign’s core eSignature service,
envelopes and customer documents and data remain secure.</b><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333">We
took immediate action to prohibit unauthorized access to
this system, we have put further security controls in place,
and are working with law enforcement agencies. Out of an
abundance of caution as a trusted brand and to protect you
from any further phishing attacks against your email, we’re
alerting you and recommend taking the following steps to
ensure the security of your email and systems:<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:24.75pt;text-indent:-.25in;mso-list:l0
level1 lfo2">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol;color:#333333"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333">Delete
any emails with the subject line, <i>“Completed: [domain
name] – Wire transfer for recipient-name Document Ready
for Signature” </i>and <i>“Completed [domain name/email
address] – Accounting Invoice [Number] Document Ready for
Signature”. </i>These emails are not from DocuSign. They
were sent by a malicious third party and contain a link to
malware spam.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:24.75pt;text-indent:-.25in;mso-list:l0
level1 lfo2">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol;color:#333333"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333">Forward
any suspicious emails related to DocuSign to <a
href="mailto:spam@docusign.com" target="_blank"
moz-do-not-send="true"><span
style="color:#0B4CB4;text-decoration:none">spam@docusign.com</span></a>,
and then delete them from your computer. They may appear
suspicious because you don’t recognize the sender, weren’t
expecting a document to sign, contain misspellings (like
“docusgn.com” without an ‘i’ or @docus.com), contain an
attachment, or direct you to a link that starts with
anything other than <a href="https://www.docusign.com/"
target="_blank" moz-do-not-send="true"><span
style="color:#0B4CB4;text-decoration:none">https://www.docusign.com</span></a> or <a
href="https://www.docusign.net/" target="_blank"
moz-do-not-send="true"><span
style="color:#0B4CB4;text-decoration:none">https://www.docusign.net</span></a>.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:24.75pt;text-indent:-.25in;mso-list:l0
level1 lfo2">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol;color:#333333"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333">Ensure
your anti-virus software is enabled and up to date.<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:24.75pt;text-indent:-.25in;mso-list:l0
level1 lfo2">
<!--[if !supportLists]--><span
style="font-size:10.0pt;font-family:Symbol;color:#333333"><span
style="mso-list:Ignore">·<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333">Review
our whitepaper on phishing available at <a
href="https://trust.docusign.com/static/downloads/Combating_Phishing_WP_05082017.pdf"
target="_blank" moz-do-not-send="true"><span
style="color:#428BCA;text-decoration:none">https://trust.docusign.com/static/downloads/Combating_Phishing_WP_05082017.pdf</span></a> <o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:9.0pt;line-height:18.0pt"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;color:#333333">Your
trust and the security of your transactions, documents and
data are our top priority. The DocuSign eSignature system
remains secure, and you and your customers may continue to
transact business through DocuSign with trust and
confidence. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif;color:black"><a
href="https://trust.docusign.com/static/downloads/Combating_Phishing_WP_05082017.pdf"
moz-do-not-send="true">https://trust.docusign.com/static/downloads/Combating_Phishing_WP_05082017.pdf</a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif">Don’t
Get Phished: Tips for Foiling Scammers A few simple
techniques can help you spot the difference between a spoof
DocuSign email vs. the real thing:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;background:yellow;mso-highlight:yellow">Hover
over the link – URLs to view or sign DocuSign documents
contain “docusign.net/” and always start with https •
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;background:yellow;mso-highlight:yellow"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif;background:yellow;mso-highlight:yellow">Access
your documents directly from
<a href="https://www.docusign.com" moz-do-not-send="true">https://www.docusign.com</a>
by entering the unique security code, which is included at
the bottom of every DocuSign email •</span><span
style="font-size:12.0pt;font-family:"Arial",sans-serif">
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif">Do
NOT open unknown or suspicious attachments, or click links –
DocuSign will never ask you to open a PDF, office document,
or zip file in an email •
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif">Look
for misspellings, poor grammar, generic greetings, and a
false sense of urgency • Enable multi-factor authentication
where possible •
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif">Use
strong, unique passwords for each service – don’t reuse
passwords on multiple websites • Ensure your anti-virus
software is up to date and all application patches are
installed • <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif">Contact
the sender offline to verify the email’s authenticity, if
you’re still suspicious • Report suspicious DocuSign emails
to your IT/security team and
<a href="mailto:spam@docusign.com" moz-do-not-send="true">spam@docusign.com</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif">Fake/Spoof
DocuSign Examples<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Arial",sans-serif">Sophisticated
scammers occasionally send emails with fake DocuSign links
that lead to malware, such as ransomware. When a large
malware or phishing campaign is detected, a security notice
containing relevant details is posted on the DocuSign Trust
Center.<o:p></o:p></span></p>
</div>
</div>
</body>
</html>