Security Alert
Jonathan Crowe
May 2017

Alert: Fake DocuSign Phishing Emails Are Spreading Malware

The electronic signature company DocuSign has issued an alert warning customers their email addresses were exposed to attackers, and to be on the lookout for phishing emails with infected Word document attachments.

Key Details

  • What's happening: Malicious phishing email campaigns are targeting DocuSign users after hackers were able to access a list of customer email addresses.
  • What do the phishing emails look like? Two variations of emails have been identified: One disguised as an accounting invoice ready for signature, and another disguised as wire transfer instructions. Additional identifying details are included below and can also be found here.
  • Who is being targeted? DocuSign has not announced how many email addresses were accessed, but has confirmed the list was limited to people with a DocuSign account. DocuSign says it has more than 100 million users. Any current or previous customers may be at risk.
  • What to do: If your organization uses DocuSign advise your users not to click on any links in DocuSign emails or open any attachments. Instead, advise them to access documents directly by visiting 
  • Additional protection: Barkly's runtime malware defense includes protection specifically designed to block macro-enabled malware like the kind being spread in these emails. 
  • empty
  • empty
  • empty

Unlike antivirus, Barkly stops macro-enabled malware automatically.
See it in action

On Monday, DocuSign announced it was tracking two campaigns of malicious phishing emails using the company's branding to trick recipients into downloading macro-enabled malware. DocuSign later determined attackers were distributing the emails using a list of DocuSign customer email addresses that had been obtained in a data breach.


What the fake DocuSign emails look like 

DocuSign has identified two separate phishing campaigns using slightly different emails. Both have been disguised to look like standard DocuSign emails, including the company's name and branding in the headers and body of the emails. 

The first is labled as an accounting invoice ready for signature and the second is labled as wire transfer instructions. 

What makes these emails so dangerous is that they are being directed to DocuSign customers who may not be surprised at all to see them. They're also being personalized to include recepients' names and email addresses. 

These emails can be identified by the following:

Sender addresses:


Subject lines:

  • Completed <> Accounting Invoice 426832 Document Ready for Signature
  • Completed: <> Wire Transfer Instructions for <recipient> Document Ready for Signature

docusign-phishing-email-example.pngScreenshot of one of the phishing emails. Source: DocuSign

How the infection process works 

Once the recipient clicks on the "review document" link a Microsoft Word document will immediately be downloaded. Before the malware can be initiated, however, the user has to open the Word document and enable macros (unless macros are enabled by default).

Docusign-macro-enabled-malware.pngOnce macros are enabled, the attack utilizes that functionality to launch Hancitor, a downloader that makes calls to Command & Control (C&C) servers to download additional malware including Pony, a credential stealer, and ZLoader, another downloader associated with the Zbot banking trojan (aka Zeus).

How to protect your organization

  • Alert your users: If your organization uses DocuSign then you should tell your users not to open any documents attached or downloaded from DocuSign emails. DocuSign confirms it will never ask customers to open PDFs, Office documents, or ZIP files in emails. If users are expecting DocuSign documents they should instead access them by opening up a browser and manually typing in to visit the site directly.
  • Disable Office macros by default: If feasible, simply change user settings to block macros from running.
  • Don't just rely on antivirus: Attackers are increasingly hiding malware in Office documents because it helps them bypass antivirus and other traditional solutions. To protect your organization against these attacks you need smarter, stronger protection designed to block a wider variety of malicious activity and scripts.

Watch the video below to see how Barkly stops macro-enabled malware before any damage is done:

Find out more about how Barkly can provide you with the powerful protection you need to stop today's modern threats — with no impact on your systems and refreshingly simple management. Learn more.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.