Updates & Alerts

Updates & Alerts

Update 7/27/15 – DocuSign and Adobe Flash status

Recently there have been a number of 0-day vulnerabilities relating to Adobe Flash. We at DocuSign do not utilize Adobe Flash within our production environment and therefore are not susceptible to the critical vulnerabilities listed below. We will continue to monitor any new information around known issues and exploits that may have an impact to our DTM platform.

Here are links to the recent Adobe 0-day vulnerabilities:
https://helpx.adobe.com/security/products/flash-player/apsb15-14.html
https://helpx.adobe.com/security/products/flash-player/apsa15-03.html





ALERT 07/29/2015 -- Critical Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (MS15-078)

On July 20th, an out of band security update was released by Microsoft to address a critical vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

DocuSign initiated incident response procedures upon learning of the vulnerability to ensure the security of the company’s servers, core systems and online properties. We have applied the appropriate patch to all systems in accordance with our Incident Response and Vulnerability Management procedures. At this time, no further action is required.

Below is the link from Microsoft with additional details about this vulnerability:
https://technet.microsoft.com/library/security/ms15-078



Update 07/6/2015

Customer Notification: Additional IP Addresses for DocuSign Service

It’s DocuSign’s intention to provide the most robust and reliable service possible to enable your business transactions. We also want to proactively share information which may be of interest to our customers regarding the evolution of our service. A few of our customers have elected to explicitly allow internet addresses advertised by our service. It is important for those customers to keep up-to-date with our current IP address ranges. The following IP address ranges will be used by our service effective immediately and until further notification


Current and Continuing for North America based and demo accounts:
209.67.98.1 through 209.67.98.63
206.25.247.129 through 206.25.247.159
209.46.117.161 through 209.46.117.191
162.248.184.1 through 162.248.187.255
54.149.21.90

New additions for North America based and demo accounts:
54.69.114.54
52.25.122.31
52.25.145.215
52.26.192.160
52.24.91.157
52.27.126.9
52.11.152.229

Current and Continuing for European Union based accounts:
185.81.100.1 through 185.81.103.254

New additions for European Union based accounts:
52.28.168.105

Should you have any questions, please don’t hesitate to contact us.





Update 7/2/2015 - DocuSign SSL/TLS Certificate Renewal
 
DocuSign’s SSL/TLS certificate used for NA1/NA2/EU1 production environments is set to expire. As a result, the certificate will be rolled over to a new one on 9/9/2015 at 4:00:00 PM (PDT).The new certificate will be a SHA2 (SHA256) certificate.  

Please note that the SSL/TLS certificate used in our Demo environment was updated to a SHA2 (SHA256) certificate on 3/26/2015. This Demo environment is available for your testing and can be used to ensure a seamless update of the production certificate scheduled for 9/9/2015. Please test your API and Connect integrations against Demo to be assured there will be no impact when the production change occurs. If you have issues with your tests in Demo please reach out.

 
The new certificate is available for download here.  
Link to Symantec’s stance on SHA2 technology: Link.  
For more information and questions, please reach out to Customer Support or your Account Manager.





May 15th, 2015 – QEMU “VENOM” Vulnerability
 
The Venom vulnerability impacted the Xen platform and DocuSign has no dependencies on the Xen platform. This covers our Production and Corporate environments as well as our subsidiaries and service providers.
 
VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
http://venom.crowdstrike.com/

Critical Vulnerability in the Microsoft Windows HTTP Protocol Stack (MS15-034)
 
 
On April 14, a security patch was released by Microsoft to address a critical vulnerability in the Windows HTTP protocol stack (“HTTP.sys”) that was disclosed the same day. The vulnerability is rated Critical since it may allow remote code execution by an attacker or lead to a Denial of Service. The issue impacts all Windows HTTP services, including Internet Information Services (IIS).
 
DocuSign initiated incident response procedures upon learning of the vulnerability to ensure the security of the company’s servers, core systems and online properties. Since some of our technology stack includes Windows web servers, we reviewed all of our sites and supporting infrastructure to ensure all Windows based HTTP services were accounted for.
 
DocuSign has applied the appropriate patch to all systems in accordance with our Incident Response and Vulnerability Management procedures. At this time, no further action is required. DocuSign will continue to monitor the status of the situation and provide updates as needed.
 
Here are some additional resources and information about the vulnerability:
 
https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
 

 

Update 04/15/2015

Customer Notification: Additional IP Addresses for DocuSign Service

It’s DocuSign’s intention to provide the most robust and reliable service possible to enable your business transactions. We also want to proactively share information which may be of interest to our customers regarding the evolution of our service.   A few of our customers have elected to explicitly allow internet addresses advertised by our service.  It is important for those customers to keep up-to-date with our current IP address ranges.   The following IP address ranges will be used by our service effective April 13, 2015 and until further notification:

 
Current and Continuing for North America based and demo accounts
209.67.98.1 through 209.67.98.63
206.25.247.129 through 206.25.247.159
209.46.117.161 through 209.46.117.191
162.248.184.1 through 162.248.187.255

New addition for North America based and demo accounts

54.149.21.90

These IP address ranges apply to all of our North American environments: www, NA2, and demo.

These IP address ranges will also apply to our EU1 environment until May 15th 2015

 

New and Incremental for European Union based accounts
185.81.100.1 through 185.81.103.254
This IP address range applies to our EU environment immediately, and our EU1 endpoint after May 15th 2015.

Should you have any questions, please don’t hesitate to contact us.

 

 

Update 03/18/2015

FREAK

On March 3rd, a vulnerability in some Secure Sockets Layer (SSL) and Transport Layer Security (TLS) servers and clients was announced under the name FREAK, which stands for Factoring RSA Export Keys.  Exploitation of the vulnerability requires a man-in-the-middle (MiTM) attack with a vulnerable client or web browser and a target server that still supports the deliberately weakened EXPORT ciphers.

DocuSign does not support EXPORT ciphers on our TLS servers and our systems were not impacted by the vulnerability.

As with all man-in-the-middle vulnerabilities, DocuSign recommends that users always use caution when accessing secure sites over public networks, heed browser security and certificate warnings, and keep their browser up to date with the most secure configuration and software patches.

Here are some additional resources and information about the vulnerability.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204

https://www.us-cert.gov/ncas/current-activity/2015/03/06/FREAK-SSLTLS-Vulnerability

http://www.kb.cert.org/vuls/id/243585

https://www.smacktls.com/#freak

http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html

 

Update 02/23/2015

Customer Notification: Additional IP Addresses for DocuSign Service

It’s DocuSign’s intention to provide the most robust and reliable service possible to enable your business transactions. We also want to proactively share information which may be of interest to our customers regarding the evolution of our service.   A few of our customers have elected to explicitly allow internet addresses advertised by our service.  It is important for those customers to keep up-to-date with our current IP address ranges.   The following IP address ranges will be used by our service effective March 10, 2015 and until further notification:

 
Current and Continuing for North America based and demo accounts
209.67.98.1 through 209.67.98.63
206.25.247.129 through 206.25.247.159
209.46.117.161 through 209.46.117.191
162.248.184.1 through 162.248.187.255
These IP address ranges apply to all of our North American environments: www, NA2, and demo.
These IP address ranges will also apply to our EU1 environment until May 15th 2015

 

New and Incremental for European Union based accounts
185.81.100.1 through 185.81.103.254
This IP address range applies to our EU environment immediately, and our EU1 endpoint after May 15th 2015.

Should you have any questions, please don’t hesitate to contact us.

 

Update 2/13/2015

 

Poodle

 

On October 14th, a vulnerability in Secure Sockets Layer (SSL) Version 3 was announced under the name Poodle, which stands for Padding Oracle on Downgraded Legacy Encryption.  In December, another version of the Poodle bug was also announced that affected certain versions of Transport Layer Security (TLS).  These vulnerabilities impact the way clients and servers secure their communications over a network and can expose information that was previously protected.  These vulnerabilities, CVE-2014-3566 and CVE-2014-8730, have been rated as medium by the National Vulnerability Database.

At the time of the original vulnerability announcement, DocuSign's servers were already configured to prefer versions of TLS and to accept SSLv3 as a last resort. Upon learning of the issue, we performed a traffic study to understand the impacts of disabling SSLv3 support altogether and to ensure the continued availability of our service for all customers.  We worked closely with our vendors to test and deploy patches as they were released.  We also implemented new configuration options in partnership with our customers to secure the services that connect to their systems.  

As of today, DocuSign is happy to report that our TLS services are not vulnerable to CVE-2014-8730.  DocuSign is also in the process of a phased disabling of SSLv3 to further prevent Poodle. We began our transition off of the protocol starting with our outbound services in January.  We plan to continue the disabling of SSLv3 starting with our DocuSign Demo site on February 23rd, and conclude with our Production site on March 23rd.  Once the disabling of SSLv3 is completed on our core platform, customers using legacy browsers or unique configurations may not be able to connect to our web servers.  Please be aware of these important dates and ensure that all browsers and clients have been updated to recent versions in order to support the change. 

Here are some additional resources and information about these vulnerabilities.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730

https://www.us-cert.gov/ncas/alerts/TA14-290A

https://www.us-cert.gov/ncas/current-activity/2014/12/09/Certain-TLS-Implementations-Vulnerable-POODLE-Attacks

https://www.openssl.org/~bodo/ssl-poodle.pdf

 

Update 11/19/2014

DocuSign is tracking malicious email campaigns where the subject reads: Please DocuSign this document: Contract_changes_11_19_2014.pdf. Possibly malicious third-parties are including links to non-DocuSign websites. These emails are not associated with DocuSign. They are coming from an unrelated third party using DocuSign branding in the body of the email.  

Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net. Legitimate DocuSign invitations to sign and completion emails also include a security code which can be entered into the “Access Documents” section of the .com site to securely access the document.

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

As a leader in online eSignature security and compliance, DocuSign has a zero-tolerance policy for this type of malware spam email and is fully prepared to ensure minimal impact to our customers and company. As we’ve seen, this type of malicious activity is becoming more common, especially to organizations with established, trusted brands. Please note that this malicious activity has no relation to any activity DocuSign is involved.

 

Update 11/18/2014

On November 11th and 18th, Microsoft collectively released 16 patches.  Two patches in particular demanded elevated priorities due to their potential impacts.  DocuSign is happy to report that we have patched all of our systems with any possible exposure.

MS14-066 addresses serious flaws in the Microsoft Schannel library that can allow for remote code execution on unpatched systems on multiple services (RDP, HTTP, and others).  

MS14-068 resolves a privately reported vulnerability in Microsoft Windows Kerberos KDC that could allow an attacker to elevate unprivileged domain user account privileges to those of the domain administrator account.  

DocuSign understands the importance of remediating issues of this nature and will continue to keep our systems up to date and secure to protect our customers.

 

Update 11/14/2014

Security and safety are a top priority at DocuSign. We’ve recently been informed of malware, called Pony Loader, potentially impacting a very small number of our customers’ computers. It is important to note that DocuSign and our users were not specifically targeted by this malware, and there has been no compromise of the DocuSign application, systems or our infrastructure. 

For customers who we believe their systems were infected by malware, we are proactively suspending their accounts and communicating with them to let them know so that they can take appropriate actions to protect their computers and data, and update passwords. We want to ensure their computers are safe and free of malware before re-instating their DocuSign accounts.

As a matter of best practice, we recommend all DocuSign customers keep computer security software up-to-date. We also suggest periodically changing passwords for your most critical sites and never using the same password for multiple sites. We further recommend that your DocuSign password be unique among all your passwords. 

 

Update 10/15/2014: "Poodle"

Earlier in the week, the DocuSign security team learned about an imminent SSL vulnerability, specifically in SSL version 3.0.  As further details have been released, DocuSign has analyzed the impact of the recently announced  "Poodle"  (Padding Oracle On Downgraded Legacy Encryption) attack and determined that the risk is low due to DocuSign's existing deployment of transport encryption and the associated negotiation policies.  This SSL vulnerability does not carry with it the same impact as the widely known "Heartbleed" vulnerability in OpenSSL.  

As with all Man in the Middle vulnerabilities, DocuSign recommends that users always use caution when accessing secure sites over public networks, heed browser security and certificate warnings, and keep their browser up to date with the most secure configuration and software patches.

 

Update 9/24/2014: ShellShock

On September 24th, a critical vulnerability in Bash (Bourne Again Shell) was announced that presented a significant risk to many Unix based systems.  The vulnerability has been collectively referred to as "Shellshock" and refers to CVE-2014-6271 & CVE-2014-7169.  (Links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271  & http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169)  

Upon learning of this vulnerability, DocuSign initiated incident response procedures to ensure the continued security and safety of our servers, core systems and online properties.  To put it simply, our plan centered on one thing: Updating ALL instances of Bash.   Beginning with our most critical environments we identified all Bash installations and patched systems the moment patches became available.  The core DocuSign platform does not have a Unix footprint, but we took the extra precaution to perform detailed code reviews on all supporting applications where affected components could have existed and they have all been validated to not be susceptible to ShellShock. All systems utilizing Bash in any way have been patched to the latest available by vendors and open source communities or have had it disabled.  Additionally, network traffic filtering is in place to detect and stop any attempt to exploit this vulnerability and to alert when it does.

We will continue to monitor the situation and take appropriate action to ensure our customer and company information remain safe and secure in keeping with our commitment to put our customers’ privacy and security at the top of our priority list.

Update 8/27/2014:  Please Docusign this document: Contract_changes_08_27_2014.pdf / Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf

DocuSign is tracking malicious email campaigns where the subject reads: "Please DocuSign this document: Contract_changes_08_27_2014.pdf" or "Completed: Please DocuSign this document : Confidential Company Agreement..pdf".  Possibly malicious third-parties are including links to non-DocuSign websites. These emails are not associated with DocuSign. They are coming from an unrelated third party using DocuSign branding in the body of the email.  

Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net. Legitimate DocuSign invitations to sign and completion emails also include a security code which can be entered into the “Access Documents” section of the .com site to securely access the document.

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

As a leader in online eSignature security and compliance, DocuSign has a zero-tolerance policy for this type of malware spam email and is fully prepared to ensure minimal impact to our customers and company. As we’ve seen, this type of malicious activity is becoming more common, especially to organizations with established, trusted brands. Please note that this malicious activity has no relation to any activity DocuSign is involved.

Update 7/29/2014:  HUD-1 Settlement Document Sent on behalf of DocuSign

DocuSign is tracking malicious email campaigns where the subject reads: "Re:HUD-1 Settlement Statement".  Possibly malicious third-parties are including links to non-DocuSign websites. These emails are not associated with DocuSign. They are coming from an unrelated third party using branding in the body of the email.  

Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net. Legitimate DocuSign invitations to sign and completion emails also include a security code which can be entered into the “Access Documents” section of the .com site to securely access the document.

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

As a leader in online eSignature security and compliance, DocuSign has a zero-tolerance policy for this type of malware spam email and is fully prepared to ensure minimal impact to our customers and company. As we’ve seen, this type of malicious activity is becoming more common, especially to organizations with established, trusted brands. Please note that this malicious activity has no relation to any activity DocuSign is involved.

 

DocuSign University Invitations

On 6/9/14, DocuSign distributed an email inviting DocuSign customer admins to join DocuSign University. The email was inadvertently sent to a broader set of customer contacts, including end users, as a result of an incorrect setting in our email distribution criteria. The setting has been noted and corrected for future email distributions. We apologize for any inconvenience the email may have caused. Thank you.

Upcoming Student Authentication Network (STAN) Downtime - 5/17/2014 5:00am ET to 2:00pm ET

The Student Authentication Network, one of our Authentication providers, will be having a brief downtime as the Federal ED Systems implement enhancements and upgrades.

Update 4/11/2014 :What is The Heartbleed Bug?

To learn more about The Heartbleed Bug, a serious vulnerability that was published in the popular OpenSSL cryptographic software library on April 7, 2014, please visit: http://heartbleed.com/.

What approach did DocuSign take upon learning of The Heartbleed Bug vulnerability?

DocuSign initiated incident response procedures on April 7 to ensure the security of all the company’s servers, core systems and online properties. Please note that DocuSign does not utilize OpenSSL for our core application, including docusign.net and app.docusign.com sites. As part of our incident response plan, we reviewed all of our sites and worked with our partners to ensure they were both aware of and responding to the Heartbleed vulnerability. No customer action is required.

Did The Heartbleed Bug access any DocuSign or customer data?

The security and safety of our data and customers’ data is a top priority for DocuSign. We take great pride, care and initiated incident response procedures, in the case of The Heartbleed Bug, to validate and ensure our systems remain safe and secure.

As a safety precaution and as a matter of best practice, passwords should be changed often. Do not use the same password on multiple sites. We recommend DocuSign users establish unique passwords.

Update 4/09/2014

On April 7th the existence of the The Heartbleed Bug as a serious security risk to websites relying on OpenSSL was announced. We would like to assure you that DocuSign does not utilize OpenSSL for its core application, including for our docusign.net and app.docusign.com sites.

Immediately upon the publication of information on Heartbleed, DocuSign initiated incident response procedures to ensure the continued security and safety of our servers, core systems and online properties. We have reviewed all of our sites and worked with our partners to ensure they are aware of and responding to the Heartbleed vulnerability. 

As a safety precaution and as a matter of best practice, we recommend all DocuSign customers periodically change passwords for all of your most critical sites and never use the same password for multiple sites. We further recommend that your DocuSign password be unique among all your passwords. 

 

Update 04/01/2014

DocuSign experienced delays in delivery of email up to 30 minutes from 9:25PDT to 2:50PDT.

 

Update 02/08/2014

DocuSign is tracking malicious email campaigns that began on 2/8/2014. In this version of malware spam email, possibly malicious third-parties are including links to non-DocuSign websites. These emails are not associated with DocuSign. They are coming from an unrelated third party using DocuSign in the subject line.  In older versions of this type of spam we have also seen .zip attachments as well as emails that attempt to copy the DocuSign email style and language in the hopes of fooling recipients into opening the email and clicking on links and attachments

Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net. Legitimate DocuSign invitations to sign and completion emails also include a security code which can be entered into the “Access Documents” section of the .com site to securely access the document.

Examples of the emails we have seen this today all have the subject line of, "Completed: Please DocuSign this document: Price Ruduction Authorization”

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

As a leader in online eSignature security and compliance, DocuSign has a zero-tolerance policy for this type of malware spam email and is fully prepared to ensure minimal impact to our customers and company. As we’ve seen, this type of malicious activity is becoming more common, especially to organizations with established, trusted brands. Please note that this malicious activity has no relation to any activity DocuSign is involved.

 

Update 01/20/2014

Customer Notification: Additional IP Addresses for DocuSign Service

It’s DocuSign’s intention to provide the most robust and reliable service possible to enable your business transactions. We also want to proactively share information which may be of interest to our customers regarding the evolution of our service.   A few of our customers have elected to explicitly allow internet addresses advertised by our service.  It is important for those customers to keep up-to-date with our current IP address ranges.   The following IP address ranges will be used by our service effective February 7, 2014 and until further notification:

 
Current and Continuing
209.67.98.1 through 209.67.98.63
206.25.247.129 through 206.25.247.159
209.46.117.161 through 209.46.117.191
 
New and Incremental
162.248.184.1 through 162.248.187.255
 
These IP address ranges apply to all of our production and demo environments.  Should you have any questions, please don’t hesitate to contact us.

Update 11/07/2013

DocuSign is tracking malicious email campaigns that began on 11/7/2013. In this version of malware spam email attacks, possibly malicious third parties are including .zip attachments. These emails are not associated with DocuSign. They are coming from an unrelated third party attempting to copy our email style and language in the hopes of fooling recipients into opening the email and clicking on the attachments. In other versions of this type of spam we have also seen links to non-DocuSign sites as well as the .zip attachments. Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net. Legitimate DocuSign invitations to sign and completion emails also include a security code which can be entered into the “Access Documents” section of the .com site to securely access the document.

Examples of the emails we have seen this afternoon all have the subject line of, "Please DocuSign this document: Company Changes – Internal Only”

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

As a leader in online eSignature security and compliance, DocuSign has a zero-tolerance policy for this type of malware spam email and is fully prepared to ensure minimal impact to our customers and company. As we’ve seen, this type of malicious activity is becoming more common, especially to organizations with established, trusted brands. Please note that this malicious activity has no relation to any activity DocuSign is involved.

Update 10/15/2013

At approximately 5:30PM PST, DocuSign’s service partner call center in the Philippines experienced a 7.2 magnitude earthquake. The DocuSign service partner team in the Philippines is responsible for all Tier 1 customer support activities, and is currently unavailable. We have been in communication with our service partner (SupportSave). They have informed us that all of our Tier 1 representatives are safe and accounted for. The DocuSign Customer Support Department has initiated our disaster recovery protocol. The following actions have been taken to ensure business continuity:

  • A formal incident has been declared
  • Communication has been established with our service partner group
  • All members of the Support Organization have been notified
  • Alternate scheduling has been implemented in our Seattle Call Center to increase capacity
  • Alternate phone routing has been implemented to ensure coverage
  • A phone prompt has been implemented which notifies callers that hold times may be longer than usual

It is our anticipation that our service partner group will be able to resume operation by 6:00AM PST tomorrow morning with decreased capacity. The building which houses our service partner group is currently being inspected by engineers to ensure stability. Their power, water, and IT infrastructure are reported to be stable. We anticipate a minimum of 30% reduction in available service partner staff as people attend to their families and homes. We do not know at this point how long we anticipate the impact of this natural disaster to last.

This will impact DocuSign’s ability to respond to Web, Corporate, and Enterprise customers in a timely manner. Customers can expect to experience hold times which are longer than usual. This in turn will result with a larger portion of our call volume being directed to voicemail. We will return these voicemails as soon as possible. Email responses will be delayed as general volume increases. Chat availability will be limited as our ability to respond decreases.

For faster support response times, customers are encouraged to visit the DocuSign Community at http://community.docusign.com and DocuSign support site at www.docusign.com/support. More information will be posted as it becomes available.

Update 9/11/2013

On Friday, September 6, two of the three instances of DocuSign’s production service were impacted for 37 minutes by an inadvertent maintenance activity. The routine maintenance is normally performed without any impact to production. In this case, scripts were configured incorrectly and caused a rapid reboot of our storage systems. During these reboots, users experienced delays and in some cases session time outs. Measures have been taken to prevent this error in the future. We sincerely apologize for the service disruption and any impact to your business.

Update 7/29/2013

DocuSign is tracking malicious email campaigns that began on 7/29/2013. These emails are not associated with DocuSign. They are coming from unrelated, malicious third parties attempting leverage the DocuSign brand in the hopes of fooling recipients into opening the email and clicking on the links. In other versions of this type of spam we have also seen links to non-DocuSign sites as well as the .zip attachments. Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net.

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

DocuSign's top priority is the privacy and security of our customers' information, documents, and data.

Update 7/17/2013

DocuSign is tracking malicious email campaigns that began on 7/17/2013. These emails are not associated with DocuSign. They are coming from unrelated, malicious third parties attempting leverage the DocuSign brand in the hopes of fooling recipients into opening the email and clicking on the links. In other versions of this type of spam we have also seen links to non-DocuSign sites as well as the .zip attachments. Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net.

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

DocuSign's top priority is the privacy and security of our customers' information, documents, and data.

Update 6/7/2013

DocuSign is seeing malicious phishing email attacks as of this afternoon. In this round of malware spam email attacks, malicious third parties are including .zip attachments. These emails are not associated with DocuSign. They are coming from an unrelated, malicious third party attempting to copy our email style and language in the hopes of fooling recipients into opening the email and clicking on the attachments. In other versions of this type of spam we have also seen links to non-DocuSign sites as well as the .zip attachments. Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net.

Examples of the emails we have seen this afternoon all have the subject line of, "Please DocuSign this document: Important Changes – Employers Only..pdf"

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

DocuSign's top priority is the privacy and security of our customers' information, documents, and data.

Update 5/15/2013

DocuSign is seeing malicious phishing email attacks as of this evening. In this round of malware spam email attacks, malicious third parties are including links to non-DocuSign sites which may include malicious code or redirect to non-DocuSign log-ins. These emails are not associated with DocuSign. They are coming from an unrelated, malicious third party attempting to copy our email style and language in the hopes of fooling recipients into opening the email and clicking on the links.

Examples of the emails we have seen this evening all have the subject line of, “Please DocuSign this document: Payment.pdf” and include links to non-DocuSign sites. Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net.

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

Please remember, DocuSign’s top priority is the privacy and security of our customers’ information, documents, and data.

Update 5/7/2013

DocuSign is seeing malicious phishing email attacks as of this evening. In this round of malware spam email attacks, malicious third parties are including links to non-DocuSign sites which may include malicious code or redirect to non-DocuSign log-ins. These emails are not associated with DocuSign. They are coming from an unrelated, malicious third party attempting to copy our email style and language in the hopes of fooling recipients into opening the email and clicking on the links.

Examples of the emails we have seen this evening all have the subject line of, “Please DocuSign this document: Payment.pdf” and include links to non-DocuSign sites. Always pay attention to the URL at the top of your DocuSign log-in. A DocuSign log-in page should begin with https://www.docusign.net.

Please remember to be particularly cautious if you receive an invitation to sign or view for an envelope you are not expecting. If you have received a copy of the malware spam email, DO NOT CLICK ANY LINKS or OPEN ANY ATTACHMENTS. Instead, forward the email to spam@docusign.com and then immediately delete the email from your system.

Please remember, DocuSign’s top priority is the privacy and security of our customers’ information, documents, and data.

Update 4/9/2013

DocuSign became aware this morning of new malware phishing emails that are being sent as if coming from the DocuSign service. These emails are not coming from DocuSign. Please do not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign's email style and language in the hopes of fooling recipients into opening the email and downloading .zip attachments. While the DocuSign Global Network and our eSignature service remain safe and secure, we are proactively notifying customers and partners of the new phishing spam so that you can take appropriate measures to protect against spam.

Examples of the emails we have seen this morning all have the subject line of, “Completed: Please DocuSign this document : Payroll 2013..pdf” and have a .zip attachment titled Payroll.zip:
Spam Email Screenshot

Fortunately, much of this most recent malware spam never made it to users' inboxes as DocuSign has both Sender Policy Framework (SPF) lookup functionality and DMARC enabled on our mail servers to flag and quarantine malicious spam. The combination of these technologies helps to protect from malware spam attacks. You can learn more about SPF at http://www.openspf.org/ and DMARC at http://www.dmarc.org/index.html.

DocuSign actively works with antivirus vendors to fight spam. These vendors are continually updating their software to identify, filter, and remove this and other spam and malware from users’ systems. Please be sure that your antivirus and email filtering software are enabled and up-to-date. If you or one of your users opened the malicious attachment, be sure to contact your antivirus software provider for details on next steps and remedies, and/or follow your company's procedures for such incidents.

As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com or https://www.docusign.net. Any other links within emails made to look like DocuSign system emails are unsecure and unsafe. Additionally, DocuSign does not include .zip attachments in emails.

February 27, 2013 Update

DocuSign became aware this evening of new malware spam emails that are being sent as if coming from the DocuSign service. These emails are not coming from DocuSign. Please do not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign's email branding in the hopes of fooling recipients into opening the email and clicking on links and/or attachments. While the DocuSign Global Network and our eSignature service remain safe and secure, we are proactively notifying customers and partners of the new malware spam so that you can take appropriate measures to protect against spam. Fortunately, much of this most recent malware spam never made it to users' inboxes as DocuSign has both Sender Policy Framework (SPF) lookup functionality and DMARC enabled on our mail servers to flag and quarantine malicious spam. The combination of these technologies helps to protect from malware spam attacks. You can learn more about SPF at http://www.openspf.org/ and DMARC at http://www.dmarc.org/index.html.

DocuSign actively works with antivirus vendors to fight spam. These vendors are continually updating their software to identify, filter, and remove this and other spam and malware from users’ systems. Please be sure that your antivirus and email filtering software are enabled and up-to-date. If you or one of your users opened the malicious attachment, be sure to contact your antivirus software provider for details on next steps and remedies, and/or follow your company's procedures for such incidents.

As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com or https://www.docusign.net. Any other links within emails made to look like DocuSign system emails are unsecure and unsafe. DocuSign does not include .zip attachments in emails.

If you believe you or your customers received malware spam email, please forward the email to spam@docusign.com and then immediately delete it from your system. More information on this and other malicious malware spam email attacks – including a screen shot of the spoof email – can be found on the DocuSign web site at http://www.docusign.com/spam.

February 8, 2013 Update

DocuSign became aware this morning of new malware spam emails that are being sent as if coming from the DocuSign service. These emails are not coming from DocuSign. Please do not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign's email branding in the hopes of fooling recipients into opening the email and clicking on links and/or attachments. While we have not received any reports from DocuSign users having received this spam and the DocuSign Global Network and our eSignature service remain safe and secure, we are proactively notifying customers and partners of the new malware spam so that you can take appropriate measures to protect against spam.

DocuSign has both Sender Policy Framework (SPF) lookup functionality and Domain-based Message Authentication, Reporting & Conformance (DMARC) enabled on our mail servers to flag and quarantine malicious spam. The combination of these technologies helps to protect from malware spam attacks. You can learn more about SPF at http://www.openspf.org/ and DMARC at http://www.dmarc.org/index.html.

DocuSign also actively works with antivirus vendors to fight spam. These vendors are continually updating their software to identify, filter, and remove this and other spam and malware from users’ systems. Please be sure that your antivirus and email filtering software are enabled and up-to-date.

As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com or https://www.docusign.net.

Any other links within emails made to look like DocuSign system emails are unsecure and unsafe. Additionally, DocuSign does not include .zip attachments in emails.

If you believe you or your customers received malware spam email, please forward the email to spam@docusign.com and then immediately delete it from your system. If you or one of your users opened the malicious attachment, be sure to contact your antivirus software provider for details on next steps and remedies, and/or follow your company's procedures for such incidents.

------------

January 29, 2013 Update - Protecting Against Malware Spam Attacks

DocuSign's top priority is the privacy and security of your information, documents, and data. The Internet is a critical component to your business and to conducting business on the DocuSign Global Network. Those committing fraud seek to take advantage of trusted relationships for illegal purposes. While there is no foolproof way to prevent the unauthorized use of the DocuSign name and brand, we continuously monitor for such activity to make your DocuSigning experience safe and secure.

DocuSign strives to be a great partner and fight malware spam attacks and the malicious third parties behind malware spam. In the event that you have been impacted by malware spam email, we recommend contacting a security vendor like McAfee, Microsoft/Forefront, Symantec or others to help with any needed security support and system clean up.

You can help to combat online fraud and protect your information, documents, and data by taking the following precautions:

Enable Sender Policy Framework
DocuSign highly recommends that email administrators configure their email servers to utilize SPF (Sender Policy Framework) lookup functionality. Mail servers that utilize SPF lookup functionality will contribute to flagging and quarantining malicious spam. DocuSign leverages a best practice called DMARC which works with SPF to instruct recipient email servers how to treat malicious spam. The combination of these technologies dramatically helps to protect from malicious spam email. You can learn more about SPF at http://www.openspf.org/ and DMARC at http://www.dmarc.org/index.html.

Filter email attachments
Quarantine any emails from the Internet with potentially harmful attachments such as .zip and .exe file types.

Workstation security
Install anti-virus software and ensure it is enabled and kept up-to-date, and be sure to apply vendor recommended security patches on a frequent basis.

Education
Provide regular training to end users to identify fraudulent email and phishing schemes.

Please contact your systems security team and email administrator to encourage them to take advantage of these precautionary steps to help protect your information, documents and data.

--------------------

January 29, 2013 Update

DocuSign became aware this morning of new malware spam emails being sent as if it was coming from the DocuSign service. An example follows immediately below. These emails are not coming from DocuSign and you should not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign’s email branding in the hopes of fooling recipients into opening the email and clicking on links and/or attachments. While the DocuSign Global Network and our eSignature service remain safe and secure, we are proactively notifying customers of the new malware spam so that you can take appropriate measures to protect against spam.

Within this latest round of malware spam email attacks, the links included within the emails ARE NOT safe, secure links to the DocuSign service. As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com, https://www.docusign.net, https://na2.docusign.net or https://eu1.docusign.net.

Any other links within emails made to look like DocuSign system emails are insecure and unsafe. DO NOT CLICK these links. Examples of insecure and unsafe links that we have seen in malware spam emails to date include (but are not limited to):

http://www.lichtblick-optik.de
http://www.xeniastudio.hu/abridged/index.html
http://kozmetikapecel.hu/boxed/index.html
http://www.crofthandyreflexology.co.uk/klansman/index.html
http://kesharie.eu/treatable/index.html
http://superpowerfruits.com/fiddles/index.html
http://unterwegsinfrankreich.medianewsonline.com/sulkiest/index.html

If you believe you received malware spam email, please forward the email to spam@docusign.com and then immediately delete it from your system. More information on this and other malicious malware spam email attacks – including a screen shot of the spoof email – can be found on the DocuSign web site at https://www.docusign.com/spam.

Get helpful tips on protecting yourself from malware spam email from a recent blog post, "Protect Yourself From Online Fraud and Scams in the New Year", by DocuSign's Chief Security Officer.

example spam message

example spam message

--------------------

January 24, 2013 Update

At 8:40AM PST this morning, 1/24/2013, DocuSign became aware of new malware spam emails being sent as if it was coming from the DocuSign service. An example follows immediately below. These emails are not coming from DocuSign and you should not click on any links or attachments therein. They are coming from an unrelated, malicious third party attempting to copy DocuSign’s email branding in the hopes of fooling recipients into opening the email and clicking on links and/or attachments. Within this latest round of malware spam email attacks, the links included within the emails ARE NOT safe, secure links to the DocuSign service. As a recipient, you can recognize safe, secure DocuSign links by hovering your mouse over them before you click on them to ensure that they start with: https://www.docusign.com or https://www.docusign.net.

Any other links within emails made to look like DocuSign system emails are unsecure and unsafe. DO NOT CLICK these links. Examples of unsecure and unsafe links that we have seen in malware spam emails to date include (but are not limited to):

http://www.lichtblick-optik.de
http://www.xeniastudio.hu/abridged/index.html
http://kozmetikapecel.hu/boxed/index.html
http://www.crofthandyreflexology.co.uk/klansman/index.html
http://kesharie.eu/treatable/index.html
http://superpowerfruits.com/fiddles/index.html
http://unterwegsinfrankreich.medianewsonline.com/sulkiest/index.html

If you believe you received malware spam email, please forward the email to spam@docusign.com and then immediately delete it from your system. More information on this and other malicious malware spam email attacks – including a screen shot of the spoof email – can be found on the DocuSign web site at https://www.docusign.com/spam .

Get helpful tips on protecting yourself from malware spam email from a recent blog post, "Protect Yourself From Online Fraud and Scams in the New Year", by DocuSign's Chief Security Officer at https://www.docusign.com/node/3952.

example spam message

--------------------

January 3, 2013 Update

Malicious third parties are continuing to attempt to spoof a variety of companies, including DocuSign, via spam email. Antivirus vendors report malicious code incidents have been increasing by as much as 3600% per week in recent weeks. While the majority of spam emails are being sent to email accounts with no association to DocuSign or the DocuSign service, some have also been received by DocuSign users. The latest spam emails contain a zip file with an executable containing malicious code that installs malware on the recipient’s computer if opened. These spam emails are not coming from DocuSign and are not related to the DocuSign service. DO NOT OPEN THE ATTACHMENT.

DocuSign actively works with antivirus vendors including Symantec, McAfee, Microsoft Forefront, and Strasburg, to fight spam. Antivirus vendors are continually updating their software to identify, filter, and remove this and other spam and malware from users’ systems. Please be sure that your antivirus and email filtering software are enabled and up-to-date to protect your systems and personal information. If you opened the malicious attachment, be sure to contact your antivirus software provider for details on next steps and remedies, and/or follow your company’s procedures for such incidents.

DocuSign continues to aggressively investigate this incident and is working with law enforcement agencies to take further action. We have received questions from customers asking how a third party obtained their email addresses. Malicious third parties most often obtain email addresses by spidering the Internet, purchasing lists, and then “phishing” for personal information via phone calls, spam emails, or fake web sites that contain malicious viruses designed to capture email directories, contacts, and other personal data.

DocuSign’s top priority is the privacy and security of our customers’ information, documents, and data. DocuSign does not sell user information to any third party. For more information, please review DocuSign’s TRUSTe certified privacy policy at http://www.docusign.com/company/privacy-policy.

Please find below the immediate steps that you should take if you think you received malware spam email. Further below please find recommendations regarding steps that IT departments may wish to take to further protect against malware spam.

Immediate steps to take if you think you received malware spam email:

  1. DO NOT OPEN any zip files or executable attachments
  2. DocuSign-generated emails don’t contain zip files or executables as attachments
  3. Contact the sender to confirm the authenticity of the signature request if you don’t recognize the sender of a DocuSign envelope
  4. FORWARD the email to spam@docusign.com to help with our forensic efforts
  5. Immediately DELETE the malicious email
  6. Ensure your anti-virus software is up to date and enabled

Steps IT departments may wish to take to further protect against malware spam:

  • Enable Sender Policy Framework (SPF) record checking: SPF is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. (http://en.wikipedia.org/wiki/Sender_Policy_Framework).
  • Filter email attachments: Quarantine any emails from the Internet with potentially harmful attachment file types such as zip and executable file types. The only attachments DocuSign will send are PDFs.
  • Workstation Security: Install anti-virus software and ensure it is enabled and kept up-to-date. Apply vendor recommended security patches on a frequent basis.
  • Education: Provide regular training to end-users to identify fraudulent email and phishing schemes.

More information will be posted here as it becomes available.