First of all, there was no reason for an email from DocuSign or AT&T to show up in my inbox - much less my customer service inbox. Unsolicited emails asking for personal information should immediately make you wary. If you weren't expecting it, approach with extreme caution.
DocuSign is a service that lets you digitally sign documents for contracts using a verified electronic signature. It's a legitimate company that people use for real estate and contracts and other transactions. These types of emails have been showing up in inboxes for the past year or two. This one tried to trick me into signing "Contract Changes" from AT&T. But you could receive a fake signature request from any company. In fact, today DocuSign issued an alert about this problem on its website. Since I don't use DocuSign, that was another big warning sign that this was not on the level.
I poked around in my virtual machine sandbox. It's how I test each download to make sure it's safe for you. I found another couple of problems. First of all, the URL I was taken to was different than the official DocuSign address. It was a long, convoluted address with no domain name, just an IP address. Plus, DocuSign uses SSL, which means the entire domain is encrypted. Instead of "http" in front of the address, you'll see "https." This fake URL had no "S."