Signed, Sealed, and Scammed: Cybercriminals Exploit DocuSign API for Fraudulent Invoices

An official-looking DocuSign email lands in your inbox, featuring a recognizable brand's logo and a request for a quick signature to confirm a transaction. The details, template, sender, and pricing breakdown appear flawless. Yet, lurking behind this routine request is a sophisticated scam that sidesteps traditional security filters by manipulating DocuSign's APIs.

Beyond Basic Phishing: A Sophisticated Approach

Traditional phishing often relies on spoofed emails with dubious links, quickly flagged by email filters. However, cybercriminals are evolving tactics, leveraging trusted services like DocuSign to distribute fraudulent invoices thatappear alarmingly legitimate. These attackers bypass conventional defenses by using genuine DocuSign accounts and branded templates, catching even cautious recipients off guard.

In this scheme, attackers set up legitimate, paid DocuSign accounts and utilize branded templates to impersonate reputable companies like Norton. These invoices include absolute pricing, product descriptions, and extra fees, adding to their credibility. Unlike typical scams with malicious links, the threat lies in the invoice's authenticity, making it difficult for users and their security tools to detect the deception.

Attack Workflow

Here is how this attack is typically conducted:

1. Attackers create a DocuSign account with a paid plan, giving them access to the platform's full suite of tools and API capabilities.
2. Using DocuSign's API, they automate sending out fraudulent invoices at scale. “The envelopes” create an API endpoint, which is meant for efficient business transactions  but is here repurposed for mass phishing.
3. Customized templates  mimic popular software brands to appear genuine. Attackers configure  invoices to display accurate pricing alongside plausible service charges.
4. Victims who sign or acknowledge the invoice unknowingly authorize payments, often routed  directly to the attacker's bank account.
5. This setup circumvents  spam filters since no malicious links or attachments are involved. Instead, it relies on the authenticity of the sender and the legitimacy of  DocuSign's trusted brand.

How to Protect Your Organization

For Businesses:

• Verify Every Invoice: Scrutinize sender credentials and watch for unusual fees or charges, especially if they contain typos or odd formatting.
• Implement Approval Chains: Establish a multi-step approval process for financial transactions to reduce the likelihood of unauthorized payments.
• Educate Employees: Train staff to recognize suspicious requests, even when they appear legitimate.
• Monitor for Unusual Invoices: Watch for red flags, such as invoices with activation fees or from brands you do not typically interact with.

For Service Providers:

• Conduct Threat  Modeling: Regularly assess potential abuse points in your APIs.
• Rate Limit API Access: Apply strategic rate limits to high-risk endpoints, slowing down attackers.
• Detect Anomalous Behavior: Utilize behavioral monitoring tools to catch unusual API activity that may indicate abuse.