We’re seeing quite a few email messages that claim to be about an invoice you haven’t paid and have PDF attachments supposedly from Docusign that you’re supposed to look at. They’ll have subject lines like “Delayed Payment Penalty Notification”. You probably won’t recognize the supposed sender as somebody you do business with, and if you hover your mouse over the From: address in the email you’ll see that the address is from some random domain. The From: addresses are hijacked accounts, and this is a phishing attempt. Most of these gets stopped in our Barracuda spam filters, but there are so many that some are getting through. If you get any of these, delete them.
More information from Docusign: https://www.docusign.com/trust/security/incident-reporting