Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

ITS wishes to bring an ongoing phishing scam involving DocuSign to your attention.

The ITS Security team is working to mitigate the threat, but because it is evolving and is sophisticated, we want to alert our community. They should be suspicious of messages from DocuSign that are unexpected and were not initiated by someone they know.

Quick Summary

Due to the compromise of DocuSign accounts, DocuSign accounts are sending requests to other user accounts that ask them to log into Microsoft 365. Those who click on these fraudulent requests are sent to a fake Microsoft 365 log in page. If the recipient enters their log in credentials (UConn email address and NetID password) into their fake page, the credentials are sent to bad actors. This is not limited to the UConn community.

Important Distinction

This phishing campaign is the result of compromised DocuSign accounts. These compromised accounts are sending requests to other DocuSign accounts.

⚠️ Recipients of this phish are receiving legitimate requests for the theft of their credentials. The request itself is legitimate because it is sent from a DocuSign account; the contents of the request are malicious.

⚠️ This means the recipient will also see the request in their DocuSign account, not just in their email inbox. This malicious request must be ignored in both the email inbox and in the DocuSign website.

This creates difficulty for ITS in identifying and blocking this phishing campaign.

How to Identify

image-20250122-163307.png

  1. Is this sent by someone you know?
    Would you expect a request for your signature from this person?
    Ask them in person, in Teams, or send them a separate email. Send a separate email to ensure they don’t have a chance to click on any links in the suspicious email you received.

  2. Is this a request involving money?
    Within your university life, it may be unlikely for you to receive a request through DocuSign that involves money.
    Does your department use the stated payment processor? Example: PayPal
    If mentioned, does your department typically use Bitcoin, or another cryptocurrency, for transactions?

  3. Is there a sense of urgency in this request?
    Is the urgency warranted or expected?
    Are you being warned about a transaction involving people, goods, or tender you don’t typically interact with?

If you mistakenly click on the document, you’re asked to click on a link within the document that leads you to a fake Microsoft log in page. If you enter your credentials into the page, your credentials are sent to bad actors.

image-20250122-164511.png

How to Avoid

Don’t click any buttons or links in the email.

If you have clicked on the message, do not enter your login credentials or any other identifying information.

Review the “How to Identify” steps above. Do not interact with the request in either your email inbox or in the DocuSign website.

If you are worried about the security of your account, perhaps you entered your credentials, reset your NetID password immediately. Resetting or Changing Your NetID Password

How to Report

If you receive this malicious DocuSign request, forward the email to security@uconn.edu.

This is in contrast to other reporting due to the nature of this phishing campaign. As explained above, these are legitimate emails with malicious content, and therefore reporting the email is not the correct action at this time.

Questions?

Please email techsupport@uconn.edu.

  • No labels