Kaseya docusign scam image

Attackers Abuse DocuSign to Send Phony Invoices

Threat actors are abusing DocuSign’s API to send phony invoices that appear “strikingly authentic,” according to researchers at Wallarm.

“Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard,” Wallarm says.

The threat actors set up DocuSign accounts that allow them to create invoices for fake purchases. They can then send an email notification from the DocuSign platform.

“An attacker creates a legitimate, paid DocuSign account that allows them to change templates and use the API directly,” the researchers explain. “The attacker employs a specially crafted template mimicking requests to e-sign documents from well-known brands, mostly software companies; for example, Norton Antivirus.

These fake invoices may contain accurate pricing for the products to make them appear authentic, along with additional charges, like a $50 activation fee. Other scenarios include direct wire instructions or purchase orders.”

Notably, the threat actors have automated these phishing attacks using DocuSign’s API, allowing them to mass-distribute the phony invoices.

“The longevity and breadth of the incidents reported in DocuSign’s community forums clearly demonstrate that these are not one-off, manual attacks,” the researchers explain. “In order to carry out these attacks, the perpetrators must automate the process. DocuSign offers APIs for legitimate automation, which can be abused for these malicious activities.”

Since the messages come from a legitimate service, they’re much more likely to bypass security filters and fool human users. While this campaign abused DocuSign, the researchers note that attackers can use other e-signature and document services to launch these attacks as well.

“The exploitation of trusted platforms like DocuSign through their APIs marks a concerning evolution in cybercriminal strategies,” Wallarm concludes. “By embedding fraudulent activities within legitimate services, attackers increase their chances of success while making detection more challenging. Organizations must adapt by enhancing their security protocols, prioritizing API security, and fostering a culture of vigilance.”

Article courtesy Kaseya