ITS wishes to bring an ongoing phishing scam involving DocuSign to your attention.
The ITS Security team is working to mitigate the threat, but because it is evolving and is sophisticated, we want to alert our community. They should be suspicious of messages from DocuSign that are unexpected and were not initiated by someone they know.
Quick Summary
Due to the compromise of DocuSign accounts, DocuSign accounts are sending requests to other user accounts that ask them to log into Microsoft 365. Those who click on these fraudulent requests are sent to a fake Microsoft 365 login page. If the recipient enters their login credentials (UConn email address and NetID password) into their fake page, the credentials are sent to bad actors. This is not limited to the UConn community.
Important Distinction
This phishing campaign is the result of compromised DocuSign accounts. These compromised accounts are sending requests to other DocuSign accounts.
⚠️ Recipients of this phish are receiving legitimate requests for the theft of their credentials. The request itself is legitimate because it is sent from a DocuSign account; the contents of the request are malicious.
⚠️ This means the recipient will also see the request in their DocuSign account, not just in their email inbox. This malicious request must be ignored in both the email inbox and in the DocuSign website.
This creates difficulty for ITS in identifying and blocking this phishing campaign.
How to Identify
Is this sent by someone you know?
Would you expect a request for your signature from this person?
Ask them in person, in Teams, or send them a separate email. Send a separate email to ensure they don’t have a chance to click on any links in the suspicious email you received.
Is this a request involving money?
Within your university life, it may be unlikely for you to receive a request through DocuSign that involves money.
Does your department use the stated payment processor? Example: PayPal
If mentioned, does your department typically use Bitcoin, or another cryptocurrency, for transactions?
Is there a sense of urgency in this request?
Is the urgency warranted or expected?
Are you being warned about a transaction involving people, goods, or tender you don’t typically interact with?
User Experience: If you click on REVIEW DOCUMENT you are presented with a document that has a hyperlink. This link leads you to a fake Microsoft login page. If you enter your credentials into the page, your credentials are sent to bad actors.
How to Avoid
Don’t click any buttons or links in the email.
If you have clicked on the message, do not enter your login credentials or any other identifying information.
Review the “How to Identify” steps above. Do not interact with the request in either your email inbox or in the DocuSign website.
If you are worried about the security of your account, you may reset your NetID password. If you believe you have entered your credentials into a fake login page, reset your NetID password immediately and contact security@uconn.edu.
How to Report
If you receive this malicious DocuSign request, forward the email to security@uconn.edu.
This is in contrast to other reporting due to the nature of this phishing campaign. As explained above, these are legitimate emails with malicious content, and therefore reporting the email is not the correct action at this time.
Questions?
Please email techsupport@uconn.edu.