6 November 2024

Threat actors abuse DocuSign’s Envelopes API to mass-distribute fake invoices


Threat actors abuse DocuSign’s Envelopes API to mass-distribute fake invoices

Malicious actors have begun misusing DocuSign’s Envelopes API to distribute fraudulent invoices that mimic well-known brands, including Norton and PayPal. By leveraging a legitimate platform attackers bypass traditional email security defenses, making their emails appear trustworthy and credible to recipients.

The fraudulent invoices are sent directly through the DocuSign electronic signature service. Phishing emails often include legitimate-looking documents that prompt recipients to sign off on payments, independently of their company’s finance department.

Attackers create and pay for legitimate DocuSign accounts, giving them access to the platform’s full suite of tools, including template customization and API access. They then craft templates that replicate legitimate e-signature requests from recognizable brands, often including details such as accurate pricing for specific products and additional charges (a $50 activation fee).

The invoices typically request an e-signature, which, once provided, gives attackers the authorization to demand payment directly from a company’s finance team or an organization’s banking department. Some invoices even include direct wire instructions or purchase orders, which, if executed, transfer funds directly to the attacker’s bank accounts.

“Because the invoices are sent directly through DocuSign's platform, they look legitimate to the email services and spam/phishing filters. There are no malicious links or attachments; the danger lies in the authenticity of the request itself,” Wallarm researchers wrote in their report.

According to Wallarm, the number of such malicious campaigns have surged over last five months, so its strongly advised that organizations take steps to avoid falling victim to such attacks. The measures include verifying sender credentials, requiring internal approvals, conducting awareness training, and monitoring for anomalies.

Back to the list

Latest Posts

Cyber Security Week in Review: December 6, 2024

Cyber Security Week in Review: December 6, 2024

In brief: Zero-day vulnerabilities in I-O data routers, Russian Turla hijacks C2 infrastructure of Pakistani hackers, and more.
6 December 2024
Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

The group has infiltrated the C2 infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
5 December 2024
Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall.
5 December 2024