Yesterday morning, between 8:45am and 10:00am, several UMBC users received DocuSign messages offering access to a document called “News Update.pdf” with a button labeled “View Document Now”.
The From address of the email “dse_docusign2@docusign.umbc.edu” was forged. This message did not originate from the UMBC’s DocuSign system. It is, however, an unusually good design for a phishing attack.
In the current work climate, it is easy to overlook unusual features of messages we get in our UMBC email inboxes. We are also using tools, like Docusign, more than ever. There are people who will try to take advantage of that. While the source of this message is currently under investigation, DoIT wanted to share some of the key features of this message that raise suspicions about its origin.
Example of Malicious DocuSign Forgery:
In the example above there are some tell-tale signs that should raise suspicions.
The message begins with the salutation “DocuSign,” and is from “The DocuSign Team”. They seem to be addressing themselves.
There is no “DocuSign Team”. DocuSign notifications are from UMBC staff.
The From: header in the upper left says “dse_docusign2@docusign.umbc.edu”. In an actual docusign message, that header would be something like “Andy Johnston via DocuSign <dse_na2@docusign.net>”
DocuSign message subjects normally start with the words “Please DocuSign”. This one does not.
The point of DocuSign is to be able to verify, by signing, that you have received a document. There is no reason to do that for a news update. UMBC News is sent out in regular email messages.
Did You Click on the Button?
If you are one of the people who got this message and clicked on the button, you should have gotten this message:
If you selected ‘Proceed’, you would probably have gotten a message that the page was unreachable or the link was invalid. If you got anything else, please submit a ticket to security@umbc.edu so that we can contact you.