CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

DocuSign Abused to Deliver Fake Invoices

Cybercriminals are abusing DocuSign APIs to send bogus email messages that bypass protections such as spam and phishing filters.

Threat actors are abusing DocuSign to deliver emails to unsuspecting users and bypass email protection mechanisms, Wallarm warns.

Unlike traditional phishing, which involves spoofed email messages mimicking known brands aimed at harvesting credentials or installing malware, this campaign relies on the trusted e-signing service to deliver malicious content.

Specifically, threat actors have been creating legitimate, paid DocuSign accounts enabling them to change templates and access the service’s APIs directly.

Next, the miscreants create a template that mimics the requests to e-sign documents from well-known brands, such as software companies, and send these to the unsuspecting victims.

The messages may come in the form of fake invoices containing pricing information or direct wire instructions. The invoices typically follow a pattern of requesting signatures that would authorize payment directly into the attackers’ accounts.

“If users e-sign this document, the attacker can use the signed document to request payment from the organization outside of DocuSign or send the signed document through DocuSign to the finance department for payment,” Wallarm explains.

The invoices come directly from DocuSign’s platform and contain no malicious links or attachments, meaning that spam/phishing filters consider them legitimate.

Numerous users have been flagging such malicious invoices, with the complaints noticeably increasing over the past five months. In addition to impersonating popular brands, the threat actors have been “embedding themselves within legitimate communication channels to execute their attacks”.

Advertisement. Scroll to continue reading.

According to Wallarm, the longevity of the campaign suggests that the attackers are using an automated process, likely abusing the legitimate APIs that DocuSign offers for automation.

One of the DocuSign endpoints, for example, can be abused to send a large number of fake invoices with minimal manual intervention.

“DocuSign’s API-friendly environment, while beneficial for businesses, inadvertently provides a way for malicious actors to scale their operations. With paid accounts and access to official templates, attackers can customize invoices to match the branding of target companies, including unauthorized use of trademarks,” Wallarm explains.

While this campaign abuses DocuSign, other e-signing services could be vulnerable to similar tactics, prompting providers to conduct threat modeling and implement security controls, implement API rate limits, and employ tools to detect API abuse and anomalous activities.

Organizations should always check the sender’s email address, implement internal procedures for approving purchases, train their employees to spot fraudulent invoices, monitor email accounts for invoices, and follow DocuSign’s guidance on voiding phishing.

Related: Law Enforcement Dismantles Phishing Platform Used for Unlocking Stolen Phones

Related: OHSU Apologizes After Phishing Test Draws Complaints

Related: Chase Bank Heavily Targeted Via XBALTI Phishing Kit

Related: FINRA Warns of Ongoing Phishing Attacks Targeting Brokerage Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.