<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Security Alert
Jonathan Crowe
May 2017

Alert: Fake DocuSign Phishing Emails Are Spreading Malware

The electronic signature company DocuSign has issued an alert warning customers their email addresses were exposed to attackers, and to be on the lookout for phishing emails with infected Word document attachments.

Key Details

  • What's happening: Malicious phishing email campaigns are targeting DocuSign users after hackers were able to access a list of customer email addresses.
  • What do the phishing emails look like? Two variations of emails have been identified: One disguised as an accounting invoice ready for signature, and another disguised as wire transfer instructions. Additional identifying details are included below and can also be found here.
  • Who is being targeted? DocuSign has not announced how many email addresses were accessed, but has confirmed the list was limited to people with a DocuSign account. DocuSign says it has more than 100 million users. Any current or previous customers may be at risk.
  • What to do: If your organization uses DocuSign advise your users not to click on any links in DocuSign emails or open any attachments. Instead, advise them to access documents directly by visiting docusign.com. 
  • Additional protection: Barkly's runtime malware defense includes protection specifically designed to blocks macro-enabled malware like the kind being spread in these emails. 
  • empty
  • empty
  • empty

Barkly's runtime malware defense stops macro-enabled malware automatically.
See it in action

On Monday, DocuSign announced it was tracking two campaigns of malicious phishing emails using the company's branding to trick recipients into downloading macro-enabled malware. DocuSign later determined attackers were distributing the emails using a list of DocuSign customer email addresses that had been obtained in a data breach.

 

What the fake DocuSign emails look like 

DocuSign has identified two separate phishing campaigns using slightly different emails. Both have been disguised to look like standard DocuSign emails, including the company's name and branding in the headers and body of the emails. 

The first is labled as an accounting invoice ready for signature and the second is labled as wire transfer instructions. 

What makes these emails so dangerous is that they are being directed to DocuSign customers who may not be surprised at all to see them. They're also being personalized to include recepients' names and email addresses. 

These emails can be identified by the following:

Sender addresses:

  • dse@docusgn.com
  • dse@docus.com 

Subject lines:

  • Completed <recipientDomain.com> Accounting Invoice 426832 Document Ready for Signature
  • Completed: <recipientDomain.com> Wire Transfer Instructions for <recipient> Document Ready for Signature

docusign-phishing-email-example.pngScreenshot of one of the phishing emails. Source: DocuSign

How the infection process works 

Once the recipient clicks on the "review document" link a Microsoft Word document will immediately be downloaded. Before the malware can be initiated, however, the user has to open the Word document and enable macros (unless macros are enabled by default).

Docusign-macro-enabled-malware.pngOnce macros are enabled, the attack utilizes that functionality to launch Hancitor, a downloader that makes calls to Command & Control (C&C) servers to download additional malware including Pony, a credential stealer, and ZLoader, another downloader associated with the Zbot banking trojan (aka Zeus).

How to protect your organization

  • Alert your users: If your organization uses DocuSign then you should tell your users not to open any documents attached or downloaded from DocuSign emails. DocuSign confirms it will never ask customers to open PDFs, Office documents, or ZIP files in emails. If users are expecting DocuSign documents they should instead access them by opening up a browser and manually typing in docusign.com to visit the site directly.
  • Disable Office macros by default: If feasible, simply change user settings to block macros from running.
  • Deploy runtime malware defense to block macro-enabled malware at runtime: While attacks that hide malware in Office documents may bypass other security, they can still be stopped with security software that recognizes and blocks malicious system activity in real-time.

Watch the video below to see how Barkly stops macro-enabled malware before any damage is done:

Find out more about how RMD works in our Complete Guide to Runtime Malware Defense.

Jonathan Crowe

Jonathan Crowe

Jonathan writes about cybersecurity from a practical point of view. He has a strict whitelisting policy for filtering out jargon and only sharing tips and tools that actually work.

Close the gaps in your security

See how Barkly's Runtime Malware Defense blocks macro-enabled malware and attacks other solutions miss.

Get protected

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.