DocuSign Phishing Emails Loaded with Data Stealing Trojan

DocuSign Professionals that use DocuSign should beware of an active phishing campaign looking to infect their computer with a data-stealing Trojan, warns antivirus firm Bitdefender.

The phishing email has been carefully crafted to appear as if it were a legitimate notice sent by DocuSign Electronic Signature Service on behalf of the administration department of the recipient’s company.

DocuSign Phishing Email
Screenshot Credit: Bitdefender

From: DocuSign Service (
Subject: To all Employees – Confidential Message

Your document has been completed

Sent on behalf of

All parties have completed the envelope ‘Please DocuSign this document: To All Employees 2013.pdf’.

To view or print the document download the attachment .

(self-extracting archive, Adobe PDF)

This document contains information confidential and proprietary to

LEARN MORE: New Features | Tips & Tricks | View Tutorials

DocuSign. The fastest way to get a signature.

If you have questions regarding this notification or any enclosed documents requiring your signature, please contact the sender directly. For technical assistance with the signing process, you can email support.

Attached to the email is a zip file named “To ALL,” and it shouldn’t be a surprise to anyone that inside the archive is a payload identified as Trojan.Generic.KD.834485.

Once it has infected a machine, Trojan.Generic.KD.834485 will get to work by stealing login credentials stored in email clients & web browsers, attempt to log into other network machines by guessing weak passwords using remote desktop protocol (RDP), possibly download and install additional malware (such as the infamous ZeuS/Zbot), and collect account information related to server names, port numbers, login IDs, FTP clients, and cloud storage programs.

DocuSign is aware of this email threat and has taken the courtesy of posting a warning on their website advising users that legitimate emails do not contain zip or executable files as attachments and to mouseover links to check for the or domains before following them.

Think You Received a DocuSign Phishing Email?

  • Do not download or open any attached files.
  • Hover your mouse over links to check for the legitimate or domains. (Note: This may not matter if a file is attached since real emails from DocuSign do not contain attachments.)
  • Report the email by forwarding it to
  • Delete the email immediately.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

This entry was posted in Computer Security, malware, phishing, spam and tagged , , , , , .
Follow any comments here with the RSS feed for this post. Trackbacks are closed, but you can post a comment.
  • Gregor Perotto

    Thank you for your article and for helping individuals and companies to protect against malware spam. Here are a few additional precautions that people can implement to fight against these malicious third-party spam attacks:

    Enable Sender Policy FrameworkEmail administrators can configure their email servers to utilize SPF (Sender Policy Framework) lookup functionality. Mail servers that utilize SPF lookup functionality will contribute to flagging and quarantining malicious spam. DocuSign leverages a best practice called DMARC which works with SPF to instruct recipient email servers how to treat malicious spam. The combination of these technologies dramatically helps to protect from malicious spam email. You can learn more about SPF at and DMARC at email attachmentsQuarantine any emails from the Internet with potentially harmful attachments such as zip and exe file types.Workstation securityInstall anti-virus software and ensure it is enabled and kept up-to-date, and be sure to apply vendor recommended security patches on a frequent basis.EducationProvide regular training to end users to identify fraudulent email and phishing schemes.Contact your systems security team and email administrator to encourage them to take advantage of these precautionary steps to help protect your information, documents and data.

    Again, thank you for helping to fight malware spam attacks.

    Gregor Perotto

    • Marquisa Kirkland

      Thank you for sharing the extra tips :)

© 2014 Hyphenet, Inc.
1761 Hotel Circle S, Suite 350, San Diego, CA 92108

All rights reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.

Hyphenet IT Security Blog located at 1761 Hotel Circle South, Suite 350 , San Diego, CA . Reviewed by 91 customers rated: 3.8 / 5