DocuSign breach leads to more effective phishing

While the world was focused on WannaCry (I promise that’s the only time I’ll mention it), a significant security issue seems to have slipped through the cracks.

DocuSign, is an application to digitally sign business documents like real estate loans, business contracts, statements of work, etc.  OK, I think we’ve already established that I tend to be more paranoid than most folks.  I don’t trust many online applications, especially for important things like loans and contracts.  But I’ve used DocuSign many times in the past and found it to be a very convenient tool for reviewing and signing documents while mobile.

Unfortunately DocuSign had a breach last week that exposed the email addresses of users.  That combined with the attackers access to a DocuSign server enabled the attackers to send very, very realistic phishing emails to real DocuSign users.

Let me make this clear:  at this point there is no indication from DocuSign that any information beyond users’ email addresses was exposed.

The phishing scam asked users to open a Word document with malicious code.  Now DocuSign does not ask users to open files within an email (they are notified to sign into the site to sign), but many didn’t suspect any nefarious business.

If you are a DocuSign user, be on the lookout.  More phishing messages are likely.  If you get an email to sign a document, don’t click the link.  Sign into the DocuSign site to sign any documents.