Attackers are leveraging DocuSign’s API to distribute authentic-looking invoices at scale, exploiting legitimate business channels to bypass traditional security measures. Using paid DocuSign accounts and customized templates, malefactors mimic reputable companies, such as Norton, to send convincing invoices through the platform.
Revealed in a blog post by Wallarm, this approach evades phishing filters by omitting malicious links or attachments, relying instead on the inherent trust of DocuSign’s platform to deceive recipients.
Beyond Traditional Phishing: An Evolution in Attack Sophistication
Phishing attacks have traditionally depended on fake emails with malicious links or attachments to trick users into divulging sensitive information. However, this new tactic is distinct: attackers are infiltrating trusted channels and using real DocuSign accounts to send fraudulent requests, making these messages able to defy all but the closest scrutiny.
John Waller, Cybersecurity Practice Lead at Black Duck, highlighted the significance of this tactic, saying, “What stands out in this scheme is not just the abuse of the API itself, but the specific way attackers are leveraging DocuSign’s API capabilities to send requests that blend seamlessly with typical business operations. By using paid accounts, attackers gain API access that enables the customization and automation of these fraudulent requests at scale.”
Waller explained that this strategy effectively bypasses conventional phishing filters, as these invoices are genuine DocuSign documents. He noted that this type of API misuse heralds a shift toward exploiting application trust instead of system vulnerabilities.
In this scheme, bad actors create authentic-looking invoices featuring the branding and pricing of well-known software companies. Some include additional charges, like activation fees, to add legitimacy, while others feature direct wire instructions or purchase orders. If the recipient signs the document, attackers may then forward the signed invoice to the target’s finance department, prompting payment to unauthorized bank accounts.
Automation and Scale: The Role of DocuSign’s API
The ability to automate these scams is a key component of their scale. Attackers leverage DocuSign’s API, specifically the Envelopes: create API, to send high volumes of fraudulent invoices with minimal manual effort. This method allows them to launch extensive campaigns that evade detection by email filters and security protocols that rely on flagging external links or malicious attachments.
“The longevity and breadth of the incidents reported in DocuSign’s community forums clearly demonstrate that these are not one-off, manual attacks. In order to carry out these attacks, the perpetrators must automate the process. DocuSign offers APIs for legitimate automation, which can be abused for these malicious activities,” said Wallarm security researchers, adding that they were alerted to this activity because they received just such an email.
Shifting Towards Multichannel Strategies
Stephen Kowski, Field CTO at SlashNext, stressed the trend of attackers shifting toward multichannel strategies and automation. “The rise in DocuSign API exploitation represents a broader shift in multichannel attack sophistication. Cybercriminals are moving beyond traditional email phishing to leverage trusted platforms and automation for mass-scale fraud.”
He urged entities to adopt security strategies that go beyond conventional email protection, focusing on behavioral analysis and real-time detection to recognize suspicious patterns, even when they appear to come from legitimate services.
A Call for Enhanced Security Measures
The surge in these types of attacks has led to a spike in user reports on DocuSign’s community forums, with discussions centered on fraudulent activities involving the platform. This exploitation trend underscores the need for more robust API monitoring and adaptive detection mechanisms to identify unusual usage patterns on trusted platforms.
As threat actors increasingly target APIs to bypass traditional security measures, cybersecurity experts are advocating for advanced detection systems that consider both the technical and contextual aspects of these communications. Companies are urged to monitor trusted applications for any unexpected activity patterns that could indicate an attempt to exploit application trust at scale.
Implications for the Future of Cybersecurity
The sophistication of these API-based attacks marks a new frontier in cybersecurity, highlighting the vulnerability of legitimate business tools when exploited by malicious actors. The incident serves as a reminder for businesses to bolster their security frameworks, ensuring they are prepared to address not only system vulnerabilities but also the exploitation of trusted platforms through novel, API-based attack vectors.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.