Phishing Emails from Docusign.net Domain

Hello, @LarryAZ 

You are welcome to the Docusign Community!

I'm sorry you're experiencing this issue.

Let me recommend two practical articles to help combat and protect against email Phishing:

1. https://support.docusign.com/s/articles/What-Should-I-Do-if-I-Receive-a-Suspicious-Email?language=en_US&rsc_301
   
    
2. Combating Phishing white paper:
   chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.docusign.com/sites/default/files/docusign_combating_phishing_whitepaper.pdf

I hope that helps!

Best,

Alexandre

Not much.  I’ve already been to the 1st link and my email was rejected as spam. 2d, no.  I have my own mail server and good spam filtering.  DocuSign either has a problem with phishers using their service, or well spoofed mail headers in addition to making it cumbersome to report. 

I’ve been getting those as well, and like you, I’m managing the issue. Just got this one today:

from dse AT eumail DOT docusign DOT net   <=== Dead giveaway that it’s a scam

Embedded link in the button

https://eu DOT docusign DOT net/Signing/EmailStart.aspx?a=6ad21c0b-3476-4bf2-a973-fd59e76ccad8&acct=af1c29b3-e43c-4f33-a8c1-9a84e59e528f&er=a9b23abe-d970-4430-8305-6616fd119e0b

Event the “Report this email” link points to the Dot net domain.

Not really sure where to report fraud at DocuSign though.

Link to the white paper is broken, the working link is as below
https://assets.ctfassets.net/0jnmtsdzg6p5/6SvJ0lqpwUSX50UfX8ek1l/3385810f09fc854384787073bbcdacf4/Combat-Phishing_24-08_whitepaper_EN-US.pdf

I have exactly the same problem today. Is docusign.net legit or not? Can someone from Docusign give a clear answer?

​@userPNAJ 

You may need to expand a bit more on your question - and maybe create a new post rather than adding onto the end of a ‘solved’ post. 

What is the problem you’re having? Did you get an email to sign something? If you have a DocuSign account, you can sign into your account and see if there are any documents waiting (rather than follow a suspicious link). Or you could contact the sender and ask if have sent you something.

good luck

mr1

On 2/18  I was asked to use DocuSign to sign a document with my real estate agent. One day after that on 2/19, I received three emails from domain docusign.net and title as “PayPal Customer Care via DocuSign” . These email claim that my PayPal account was used to purchase crypto currencies from Coinbase and clearly these are scams. I don’t understand how this can happen just after my using DocuSign and it raises my concern about security of your service. The most confusing part is that the sender’s domain is docusign.net.

I had the same exact thing happen to me. I got an email yesterday about unauthorized activity on my pay pal account. I don’t use pay pal  anymore. The email address I was to respond to is  dse_NA4@docusign.net . I obviously I didn’t click the link but the the domain name is concerning 

got a second one this week

We just block everything from docusign.net.  Receiving like 5 a day for the past two months. It’s obvious they are being abused and they don’t seem to care. We’ve told all our vendors not to send us anything via docusign, it will be rejected at the gateway.

Hello Team,
Thank you for alerting us to dishonest people abusing the Docusign product. Our security teams have produced an incident reporting guide on our Trust website.
For the most recent details on how to notify Security about phishing or fraud efforts, please follow the link below:
https://www.docusign.com/trust/security/incident-reporting
There is also the “Combating Phishing: A Proactive Approach” whitepaper available here: https://www.docusign.com/sites/default/files/docusign_combating_phishing_whitepaper.pdf
Feel free to let us know if you need any more help with this.

Best regards,

Jenny | Docusign Community Moderator

"Select as Best" below if you find the answer a valid solution to your issue.

Hi!
We recently prepared a video and a community post with more information about email security. Please, check it out:

Hello DocuSign Security Team,

Our organization has recently received phishing emails claiming to be from dse@docusign.net, which appear to spoof legitimate DocuSign communications. Upon investigation, we identified that the emails were sent from the malicious IP address 110.164.177.109, which is not associated with your official infrastructure.

The phishing messages attempt to lure recipients into clicking on suspicious links and may lead to credential theft or malware.

We wanted to bring this to your attention so you can take any appropriate action (e.g., domain/IP blocking, security bulletin, or legal escalation). Please let us know if you require headers or additional samples — we are happy to assist.

Thank you for your support and commitment to user safety.

Hi ​@rodrigue rib !
First of all, thank you for collecting this information and for your efforts spent on it.

We kindly ask that you send this information through our correct spam report channels, ensuring that the security team is properly notified and takes action (if necessary). Please, check out Quick Reporting Guide to know how to proceed.

Thank you!

This issue is continuing and only escalating. DocuSign needs to disable direct send in their tenant, or fully mitigate this issue through other means, because this is a real threat and they are spoofing internal communications and business flows. To the extent that DocuSigns own guidance on receiving a questionable email is to check the site to see if the document is legit. Well, the fake document shows up on the site as legitimate, even though it is clearly not. This is a major issue and needs to be resolved before trust is completely broken with this company.

Also, I followed the steps listed above and the only way I saw to get to the “report abuse” link is to create a paid account. Is that true?

Hi ​@sdean78 !
Unfortunately, a few people persist in using Docusign tools for unworthy purposes. Docusign frequently blocks and suspends accounts with improper use, and we take active and passive (when we receive reports from other users) actions.

As available on the Incident Reporting - Security Concerns (https://www.docusign.com/trust/security/incident-reporting) website, there are several ways to report phishing, such as forwarding the email to spam@docusign.com, using the report abuse option, or even directly through our i-Sight web portal (https://docusign.i-sight.com/portal). We kindly ask that you send us the information through one of these official methods so that the responsible team can analyze and take action if necessary.

I have tried these numerous times and my company is still getting the phishing emails.  DocuSign needs to do something sbout this issue so we don’t have to send your emails to quarantine.  This is not a good look on DocuSign.

The steps in these lnks never work.  I have sent five or six of these emails to the docusign verify email and nothing ever happens .  We still kjeep getting these emails.  And yes, I am the administrator of the account and our email threat protection.  You ask me to open up this domain but do nothing to protect it.  I will need to consider if I still want to keep using DocuSign.

Hello ​@gmcmenimen,

I hope you’re doing well. Thank you for your patience and for bringing this to our attention.

We totally understand how frustrating it must be to send multiple emails without seeing any action. 

We’ve upgraded our email delivery systems to better spot and block fraudulent emails before they land in your inbox. Additionally, we’ve rolled out new fraud verification features that make it easier for you to check if a DocuSign email is real. Just forward any suspicious email to verify@docusign.com, and we’ll quickly let you know if it’s legitimate or if it contains anything suspicious, along with what steps you should take next. 

Article: https://www.docusign.com/blog/security-that-scales

We really appreciate you sticking with us and want to make sure you feel confident using DocuSign. If you keep seeing issues or need more help, please don’t hesitate to reach out. 

Best regards,

Jenny | Docusign Community Moderator