As it turns out, "a malicious third party" had managed to break into a "non-core system" that DocuSign uses to send out service announcement emails. This is why the phishing campaign has been so accurately targeting customers, though the red flag here is that emails ask recipients to download a Microsoft Word document (containing malware), which isn't something a genuine DocuSign email would ever request.

The company stresses the breached system contained only a list of email addresses, that it has since been secured, and that all other data and services were untouched. Obviously it's still not a good look for DocuSign given data security is an integral part of its pitch, but it's an important reminder that just because an email looks above board at first glance doesn't mean it can be trusted.