_Elena_Uve_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop "Docusign API Utilized in Large-Scale, Innovative Invoice Attack")
In a recent development, cybercriminals have been found exploiting a Docusign API in an extensive phishing campaign aimed at sending fake invoices to corporate users. This deceptive tactic is designed to make these invoices appear authentic and bypass typical security defenses and user suspicions, making it more challenging to detect. The campaign, which has been active for several months, involves attackers setting up a legitimate, paid Docusign account to manipulate templates and utilize the API directly, as highlighted in a blog post by security firm Wallarm.
According to the researchers at Wallarm, the attackers are leveraging Docusign’s “API-friendly environment” to carry out their malicious activities. While this environment can offer benefits for businesses, it also inadvertently provides opportunities for cybercriminals to scale their operations. Specifically, the attackers are utilizing Docusign’s “Envelopes: create API” to send a high volume of automated emails directly from the platform to multiple users, using templates that mimic requests to e-sign documents from well-known brands like Norton Antivirus.
To make these fake invoices more convincing, the attackers have employed various tactics, such as providing accurate pricing for products, including expected charges like activation fees, adding wire instructions or purchase orders, and sending multiple invoices with different items. If a user e-signs the document, threat actors can exploit it to request payments from organizations outside of Docusign or forward the signed document through the platform to the finance department for compensation, ultimately committing fraud.
It is worth noting that this type of attack is not limited to Docusign alone, as other e-signature and document services could also be vulnerable to similar exploitation tactics. Fake invoices are commonly used in financially motivated phishing scams, and Docusign, being a widely used platform with over 1.5 million paying customers and 1 billion users globally, is frequently targeted by cybercriminals. The use of an API-based attack can be particularly effective because emails sent directly from Docusign appear legitimate to email services and spam filters, making it harder to detect.
Mitigating these types of cyberattacks involves organizations implementing strict internal procedures for approving purchases and financial transactions, as well as verifying the legitimacy of senders’ email addresses. Service providers like Docusign can also play a role in preventing API abuse by understanding how APIs can be exploited in phishing attacks, conducting regular threat modeling exercises, and applying rate limits to specific API endpoints to deter attackers from scaling their operations.
As cybercriminals continue to evolve and leverage legitimate tools for malicious purposes, it is crucial for organizations to stay vigilant, educate their employees about potential threats, and implement robust security measures to protect against sophisticated attacks. By being proactive and informed, businesses can reduce the risk of falling victim to phishing scams and other fraudulent activities.