"legit" docusign emails being used for malicious purposes

So it appears that malicious actors no longer have to spoof Docusign emails and can actually sign up for a Docusign account and then use it to send malicious content.

This may be old news for some of you, but this is the first example we've seen of a legit Docusign account being used like this. Fortunately it was so poorly constructed that the recipient knew it wasn't legit, as she would have been the one to send it to herself, but good grief...