Updates Stay Informed @askDocusign on Twitter


Date change for end of DocuSign TLSv1.0 support – now June 25, 2018

April 6, 2018

To ensure smooth DocuSign support deprecation for TLSv1.0, we have changed the effective date for this change. DocuSign will end TLSv1.0 support effective June 25, 2018. Please refer to the original end of support notice for further details.

Visit DocuSign’s System Requirements page for information about browsers supported by DocuSign. These browsers will continue to work after the change.

Security Updates And Alerts Category

Update 3/22/2018 @ 10 AM Pacific Time - New Phishing Campaign Observed Today

March 22, 2018

DocuSign has observed a new phishing campaign that began the morning of March 22nd, 2018 (Pacific Time). The email purports to come from DocuSign using the email addresses no-reply@docusignmail.com and no-reply@docusignemail.com. The emails all have the subject:

"You have received a secure document"

These emails contain a malicious Word document as an attachment, 9S659EHDCSI72649DS.doc.

These emails are not sent from DocuSign. Do not open the attachment in these emails, instead please forward them to spam@docusign.com and then delete the email immediately.

For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB)

 

DocuSign TLSv1.0 support to end June 30, 2018 (Updated end date: June 25, 2018)

March 16, 2018

Following industry best practices, DocuSign will end TLSv1.0 support effective June 30, 2018 June 25, 2018. This date aligns with the deadline the PCI Security Standards Council has set for companies that wish to remain PCI Data Security Standard (PCI DSS) compliant.  Other leading SaaS vendors, including Salesforce, Box, and PayPal, plan to end support for TLSv1.0 in June.

More information is available here: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

In addition to retiring the insecure TLSv1.0 protocol, we will also remove a set of cipher suites which are no longer considered secure. This includes ciphers such as 3DES along with a few others that have an insufficient key length to securely encrypt communications.

The ciphers to be retired include the following:

· TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

· TLS_RSA_WITH_3DES_EDE_CBC_SHA 

· TLS_RSA_WITH_AES_256_GCM_SHA384

· TLS_RSA_WITH_AES_256_CBC_SHA256

· TLS_RSA_WITH_AES_256_CBC_SHA 

· TLS_RSA_WITH_AES_128_GCM_SHA256

· TLS_RSA_WITH_AES_128_CBC_SHA256 

· TLS_RSA_WITH_AES_128_CBC_SHA 

TLSv1.0 and these cipher suites are utilized by a small set of customers to support legacy integrations. These integrations will need to be updated to support secure, modern ciphers and is often as easy as recompiling the solution with updated libraries. The PCI Security Standards Council has published detailed guidance for migration from SSL/early TLS. It is available here: www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf

All internet browsers currently supported by DocuSign already default to newer versions of TLS, so this change will go unnoticed by web and mobile users. Please contact DocuSign support with additional questions.

Security Updates And Alerts Category

Update 3/6/2018 @ 2.15 PM Pacific Time - New Phishing Campaign Observed Today

March 6, 2018

DocuSign has observed a new phishing campaign that began the morning of March 6th, 2018 (Pacific Time). The email purports to come from "DocuSign Electronic Signature and Invoice" using the email addresses invoice@nxgndata.com and invoice@bandgequipment.com. The emails all have the subjects:

You received / got invoice from DocuSign Signature Service / DocuSign Electronic Signature Service / DocuSign Service

These emails contain links to a malicious Word document. This emails are not sent from DocuSign. Do not click the links in these emails, instead please forward them to spam@docusign.com and then delete the email immediately. 

For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB)

Security Updates And Alerts Category

Update 2/28/2018 - DocuSign and SAML Vulnerability Update

Feb. 28, 2018

On February 27th, CERT released details about a SAML vulnerability affecting some libraries which may allow an attacker to perform an authentication bypass. More details are available here: https://www.kb.cert.org/vuls/id/475445

Our security and identity teams immediately investigated this issue in our applications and have confirmed that none of our SAML implementations are vulnerable to this attack.

Security Updates And Alerts Category

Update 2/8/2018 – Final DocuSign Update on Meltdown and Spectre Vulnerabilities

Feb. 8, 2018

DocuSign has addressed the Spectre and Meltdown vulnerabilities across our service, protecting customers from potential exploitation. Engineering teams have carefully monitored and measured performance during the rollout of these patches and no measurable service degradation has been encountered. Our incident response teams have not seen any indication of attempts to exploit these issues.

 

If and when additional patches become available from vendors we will use the same strategy to test, measure and deploy to our service. Providing customers with a secure and reliable service is our top priority at DocuSign.

Security Updates And Alerts Category

Update 1/31/2018 @ 8.45 AM Pacific Time - New Phishing Campaign Observed Today

Jan. 31, 2018

DocuSign has observed a new phishing campaign that began the morning of January 31, 2017 (Pacific Time).

The email purports to come from "Docusign Inc." using the email address dse@dse.com with the subject “Your document Receipt <numbers> for <name> is ready for signature!”. The email contains a link to a malicious Word document. This email is not sent from DocuSign. Do not click the link in this email, instead please forward it to spam@docusign.com and then delete the email immediately. 

For more information on how to spot phishing please see our  Combating Phishing white paper (3.3 MB) .

Privacy at DocuSign

Dec. 1, 2017

Learn about privacy at DocuSign and the steps we're taking to prepare for the upcoming GDPR. 

Update 11/29/2017 @ 8:55 AM Pacific Time - New Phishing Campaign Observed Today

Nov. 29, 2017

DocuSign has observed a new phishing campaign that began the morning of November 29th (Pacific Time)

Get Tips and Resources to Prevent and Combat Online Fraud

Nov. 20, 2017

Read about our top pointers to help you stay safe online. 

Update 11/16/2017 @ 9:30 AM Pacific TIme - New Phishing Campaign Observed Today

Nov. 16, 2017

DocuSign has observed a new phishing campaign that began the morning of November 16th (Pacific Time)

Update 10/16/2017 @ 8:31 AM Pacific Time – New Phishing Campaign Observed Today

Oct. 16, 2017

DocuSign has observed a new phishing campaign that began the morning of October 16th (Pacific Time).

Update 9/27/2017 @ 8:25 AM Pacific Time – New Phishing Campaign Observed Today

Sept. 27, 2017

DocuSign has observed a new phishing campaign that began the morning of Septemeber 27 (Pacific Time).

Update 9/14/2017 @ 11:00 AM Pacific Time – New Phishing Campaign Observed Today

Sept. 14, 2017

DocuSign has observed a new phishing campaign that began the morning of September 14th targeting individuals in the APAC region.

Update 9/6/2017 – DocuSign and Apache Struts Security Alert Status

Sept. 8, 2017

Apache issued a security alert on September 5, 2017 for Struts, an open source framework for creating Java web applications.  The component performs unsafe deserialization and could lead to a remote code execution vulnerability.

Update 9/6/2017 @ 8:41 AM Pacific Time – New Phishing Campaign Observed Today

Sept. 6, 2017

DocuSign has observed a new phishing campaign that began the morning of September 6th (Pacific Time).

Update 8/28/2017 @ 7:50 AM Pacific Time – New Phishing Campaign Observed Today

Aug. 28, 2017

DocuSign has observed a new phishing campaign that began the morning of August 28th (Pacific Time).

Reminder: Please Refer to the DocuSign Trust Center to Verify the Latest Alerts and Updates

Aug. 25, 2017

The DocuSign Trust Center is the best source of information regarding alerts or threats to the DocuSign environment. 

Update 8/16/2017 @ 9:00 AM Pacific Time – New Phishing Campaign Observed Today

Aug. 16, 2017

DocuSign has observed a new phishing campaign that began the morning of August 16th (Pacific Time).

Update 7/18/2017 @ 8:15 AM Pacific Time – New Phishing Campaign Observed Today

July 18, 2017

DocuSign has observed a new phishing campaign that began the morning of July 18th (Pacific Time).

Update 6/12/2017 @ 9:24 AM Pacific Time – New Phishing Campaign Observed Today

June 12, 2017

DocuSign has observed a new phishing campaign that began the morning of June 12 (Pacific Time).

Update 5/18/2017 @ 9:30 PM Pacific Time – Follow @askdocusign on Twitter for latest updates

May 18, 2017

If you would like to be automatically informed about the latest security updates and alerts, please follow @askdocusign (DocuSign Support) on Twitter, where we will be posting notifications when the Trust Center is updated.

Update 5/17/2017 @ 1:02 PM Pacific Time – New Phishing Campaign Discovered Today

May 17, 2017

DocuSign has observed a new phishing campaign that began the morning of May 16 (Pacific Time).

Update 5/16/2017 @ 8:55 Pacific Time – Key Update on Malicious Campaign

May 16, 2017

As part of our commitment to updating everyone as we identify new information during our investigation, we can now confirm that only people with a DocuSign account were impacted by this incident – those who signed a document without a DocuSign account were not among the list of email addresses that were accessed maliciously.

Update 5/16/2017 @ 3:45 PM Pacific Time - DocuSign Phishing Campaigns – Indicators of Compromise

May 16, 2017

To assist customers concerned about the recent phishing incident, we’re posting this resource which contains a list of Indicators of Compromise (IOCs) which can be used by Enterprise IT and Security Teams to detect malicious activity related to this incident.

Update 5/16/2017 @ 12:21 PM Pacific Time - Update on Malicious Campaign

May 16, 2017

As an update on the malicious phishing incident, we wanted to share some of the most frequent questions that we have been receiving in the past 12 hours. We will continue to update this site with new information as it becomes available.

Update 5/16/2017 – Security Advisory Status regarding MS17-010 & WannaCrypt/WannaCry Ransomware

May 16, 2017

Recently we’ve seen increased concern and discussion around an exploit released by Shadow Brokers which was acknowledged by Microsoft on March 14th, 2017. This issue involves SMBv1 and how it handles specially crafted requests to a host impacted by this vulnerability.

Update 5/15/2017 - Latest update on malicious email campaign

May 15, 2017

Last week and again this morning, DocuSign detected an increase in phishing emails sent to some of our customers and users – and we posted alerts here on the DocuSign Trust Site and in social media.

Update 5/15/2017

May 15, 2017

For more information, please review our Combating Phishing resource guide

Update 5/15/2017 - Malicious Email Campaign

May 15, 2017

DocuSign is tracking a malicious email campaign where the subject reads: Completed *company name* - Accounting Invoice *number* Document Ready for Signature;The email contains a link to a downloadable Word Document which is designed to trick the recipient into running what’s known as macro-enabled-malware.

Update 5/9/2017 - Malicious Email Campaign

May 9, 2017

DocuSign is tracking a malicious email campaign where the subject reads: "Completed: docusign.com - Wire Transfer Instructions for recipient-name Document Ready for Signature”.

Update 2/27/2017 – DocuSign and Cloudflare Security Advisory Status

Feb. 27, 2017

Recently there was an issue reported by Cloudflare that impacted their edge servers.

Update 11/22/2016 - Malicious Email Campaign

Nov. 22, 2016

DocuSign is tracking a malicious email campaign where the subject reads: "You have a new Encrypted Document”. The email contains a Word Doc attachment “EncryptedDoc.doc” which is designed to trick the recipient into running what’s known as macro-enabled-malware.

Update 7/19/16 – DocuSign and OpenSSL Security Advisory status CVE- 2016-2107 & CVE-2016-2108

July 19, 2016

Recently there were 2 issues identified with OpenSSL. We have identified all impacted servers and have applied the appropriate patches necessary to remediate these issues within our environment.

Update 3/1/2016 - DROWN

March 1, 2016

On March 1st, a vulnerability in Secure Sockets Layer (SSL) Version 2 was announced under the name DROWN, which stands for Decrypting RSA with Obsolete and Weakened Encryption.

ALERT 12/18/2015 – Juniper Networks releases notice of backdoor software discovery

Dec. 18, 2015

On 12/18/2015, Juniper Networks released a Security Bulletin (2015-12) outlining two security issues found during an internal code review. 

DocuSign Single Sign-On Certificate Update

Aug. 26, 2015

DocuSign’s Single Sign-On certificate used for SAML AuthN requests and WS_Federation encryption in our NA1/NA2/EU1 production environments is about to expire.

ALERT 07/29/2015 -- Critical Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (MS15-078)

July 29, 2015

On July 20th, an out of band security update was released by Microsoft to address a critical vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

Update 7/27/15 – DocuSign and Adobe Flash status

July 27, 2015

Recently there have been a number of 0-day vulnerabilities relating to Adobe Flash.

Update 07/6/2015 - Customer Notification: Additional IP Addresses for DocuSign Service

July 6, 2015

Customer Notification: Additional IP Addresses for DocuSign Service

Update 7/2/2015 - DocuSign SSL/TLS Certificate Renewal

July 2, 2015

DocuSign’s SSL/TLS certificate used for NA1/NA2/EU1 production environments is set to expire. As a result, the certificate will be rolled over to a new one on 9/9/2015 at 4:00:00 PM (PDT).The new certificate will be a SHA2 (SHA256) certificate.  

May 15th, 2015 – QEMU “VENOM” Vulnerability

June 15, 2015

The Venom vulnerability impacted the Xen platform and DocuSign has no dependencies on the Xen platform. This covers our Production and Corporate environments as well as our subsidiaries and service providers.

Update 04/15/2015

April 15, 2015

Customer Notification: Additional IP Addresses for DocuSign Service

Update 03/18/2015 - FREAK

March 18, 2015

On March 3rd, a vulnerability in some Secure Sockets Layer (SSL) and Transport Layer Security (TLS) servers and clients was announced under the name FREAK, which stands for Factoring RSA Export Keys.

Update 02/23/2015

Feb. 23, 2015

Customer Notification: Additional IP Addresses for DocuSign Service

Update 2/13/2015 - Poodle

Feb. 13, 2015

On October 14th, a vulnerability in Secure Sockets Layer (SSL) Version 3 was announced under the name Poodle, which stands for Padding Oracle on Downgraded Legacy Encryption.

Security in Email

Feb. 5, 2015

The number of worldwide email accounts is expected to increase from an installed base of 3.1 billion in 2011 to nearly 4.1 billion by year-end 2015, according to a report by Radicati.