{"id":74198,"date":"2017-06-01T14:23:45","date_gmt":"2017-06-01T21:23:45","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=74198"},"modified":"2025-06-02T20:50:12","modified_gmt":"2025-06-03T03:50:12","slug":"misuse-of-docusign-email-addresses-leads-to-phishing-campaign","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/misuse-of-docusign-email-addresses-leads-to-phishing-campaign\/","title":{"rendered":"Misuse of DocuSign Email Addresses Leads to Phishing Campaign"},"content":{"rendered":"

DocuSign<\/a>, which provides electronic signatures and digital transaction management, reported that email addresses were stolen by an unknown party on May 15. Although the company confirmed that no personal information was shared, DocuSign has reported<\/a>\u00a0that a malicious third party gained temporary access to a separate, non-core system that allows it to communicate service-related announcements to users via email. This incident has left a lot of DocuSign individual users and business professionals vulnerable, because the attacker group is trying to exploit the users through phishing emails. Users are receiving mails on their corporate email\u00a0IDs, in which they are asked to review and sign job-related documents such as accounting invoices, by clicking on the \u201cReview Document\u201d hyperlink in the malicious documents.<\/p>\n

\"\"<\/p>\n

Spam email.<\/em><\/p>\n

The phishing link downloads a document file consisting of malicious code, which when opened injects malware in the system’s process svchost.exe.<\/p>\n

\"\"<\/p>\n

Process injection.<\/em><\/p>\n

The injected process sends a request to the following URLs:<\/p>\n

\"\"<\/p>\n

Contacting the remote host.<\/em><\/p>\n

The malware receives the response:<\/p>\n

\"\"<\/p>\n

Response from server.<\/em><\/p>\n

The response is an encrypted file that could be any of three types:<\/p>\n