The phishing email has been carefully crafted to appear as if it were a legitimate notice sent by DocuSign Electronic Signature Service on behalf of the administration department of the recipient’s company.
From: DocuSign Service (email@example.com)
Subject: To all Employees – Confidential Message
Your document has been completed
Sent on behalf of firstname.lastname@example.org.
All parties have completed the envelope ‘Please DocuSign this document: To All Employees 2013.pdf’.
To view or print the document download the attachment .
(self-extracting archive, Adobe PDF)
This document contains information confidential and proprietary to bitdefender.com
LEARN MORE: New Features | Tips & Tricks | View Tutorials
DocuSign. The fastest way to get a signature.
If you have questions regarding this notification or any enclosed documents requiring your signature, please contact the sender directly. For technical assistance with the signing process, you can email support.
Attached to the email is a zip file named “To ALL Employees.zip,” and it shouldn’t be a surprise to anyone that inside the archive is a payload identified as Trojan.Generic.KD.834485.
Once it has infected a machine, Trojan.Generic.KD.834485 will get to work by stealing login credentials stored in email clients & web browsers, attempt to log into other network machines by guessing weak passwords using remote desktop protocol (RDP), possibly download and install additional malware (such as the infamous ZeuS/Zbot), and collect account information related to server names, port numbers, login IDs, FTP clients, and cloud storage programs.
DocuSign is aware of this email threat and has taken the courtesy of posting a warning on their website advising users that legitimate emails do not contain zip or executable files as attachments and to mouseover links to check for the docusign.com or docusign.net domains before following them.
Think You Received a DocuSign Phishing Email?
- Do not download or open any attached files.
- Hover your mouse over links to check for the legitimate docusign.com or docusign.net domains. (Note: This may not matter if a file is attached since real emails from DocuSign do not contain attachments.)
- Report the email by forwarding it to email@example.com.
- Delete the email immediately.