Hackers Abuse DocuSign API to Send Genuine Looking Invoices


Cybercriminals have started leveraging DocuSign’s API to send fraudulent invoices that appear shockingly authentic.

Unlike traditional phishing schemes that rely on poorly crafted emails and malicious links, these attacks use legitimate DocuSign accounts and templates to impersonate well-known companies, making them difficult for users and security systems to detect.

SIEM as a Service

Exploiting DocuSign’s API: Automation on a Large Scale

Traditional phishing attacks often involve fake emails that mimic trusted brands, tricking victims into clicking on malicious links or sharing sensitive information such as passwords or banking details.

While email filters and anti-spam measures have become more adept at identifying these attacks, the new tactic of using trusted services like DocuSign makes detection significantly more challenging. 

Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs

In these incidents, attackers create legitimate, paid DocuSign accounts, which allow them to modify templates and use DocuSign’s API to send documents directly.

These emails appear highly genuine by mimicking requests for e-signatures from well-known brands, such as Norton Antivirus. 

A recent screenshot from a victim shows a fraudulent invoice sent via DocuSign using Norton’s official branding and layout.

The fake invoices include accurate product pricing to make them seem credible and additional fees, such as a $50 activation charge. In some cases, the scam involves direct wire instructions or purchase orders.

An actual fraudulent invoice sent via DocuSign, using Norton's branding and layout.
An actual fraudulent invoice sent via DocuSign, using Norton’s branding and layout.

How It Works

Once a victim signs the document, the attacker can request payment directly from the organization or send the signed document to the company’s finance department for processing.

Because these invoices are delivered through DocuSign’s platform, they bypass traditional spam filters, as they contain no malicious links or attachments.

The danger lies solely in the deceptive authenticity of the request. 

Use of DocuSign's official templates, complete with legitimate branding.
Use of DocuSign’s official templates, complete with legitimate branding.

Over the past few months, reports of these malicious campaigns have surged. DocuSign’s community forums have seen a spike in discussions about fraudulent activities, with users sharing similar experiences.

The ongoing nature of these attacks suggests that they are not isolated incidents but part of a broader, automated campaign.

According to the Wallarm reports, Cybercriminals use DocuSign’s API to automate these attacks, allowing them to send large volumes of fraudulent invoices with minimal manual effort.

Using endpoints like the “Envelopes: create API,” attackers can scale their operations quickly and efficiently.

Additionally, they customize invoices to match the branding of targeted companies, even using trademarks like Norton’s without authorization.

The abuse of DocuSign’s API highlights a worrying evolution in cybercriminal tactics.

By exploiting trusted platforms, hackers embed fraudulent activities within legitimate communication channels, making detection more difficult.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!



Source link