With "To All Employees - Confidential Message" in the subject line, a spoofed "From" email address, rather legitimate looking graphics in the email's body and the URL of the company's official website inserted at the end, the email is likely to be considered genuine by many:
The email urges recipients to open the attached To ALL Employees.zip file, which actually contains an information-stealing Trojan that searchers for passwords of users' e-mail client and those saved by their browsers, and collects account information (server names, port numbers, login IDs, and more).
In addition to this, it also attempts to log into other connected machines by trying out a hardcoded list of most frequent password, and some variants are also able to download additional malware on the already infected systems.
DocuSign is aware of the malicious spam campaign and is warning users about it, advising them not to open attachments in emails that seem to come from the service and to forward the bogus email to firstname.lastname@example.org to help with their forensic efforts.
"DocuSign continues to aggressively investigate this incident and is working with law enforcement agencies to take further action," they wrote, adding that DocuSign doesn't sell user information to third parties.
"Malicious third parties most often obtain email addresses by spidering the Internet, purchasing lists, and then 'phishing' for personal information via phone calls, spam emails, or fake web sites that contain malicious viruses designed to capture email directories, contacts, and other personal data," they explained.