Attackers Abuse DocuSign to Send Phony Invoices



BEC Email Scams PhishingThreat actors are abusing DocuSign’s API to send phony invoices that appear “strikingly authentic,” according to researchers at Wallarm.

“Unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, these incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard,” Wallarm says.

The threat actors set up DocuSign accounts that allow them to create invoices for fake purchases. They can then send an email notification from the DocuSign platform.

“An attacker creates a legitimate, paid DocuSign account that allows them to change templates and use the API directly,” the researchers explain. “The attacker employs a specially crafted template mimicking requests to e-sign documents from well-known brands, mostly software companies; for example, Norton Antivirus.

These fake invoices may contain accurate pricing for the products to make them appear authentic, along with additional charges, like a $50 activation fee. Other scenarios include direct wire instructions or purchase orders.”

Notably, the threat actors have automated these phishing attacks using DocuSign’s API, allowing them to mass-distribute the phony invoices.

“The longevity and breadth of the incidents reported in DocuSign’s community forums clearly demonstrate that these are not one-off, manual attacks,” the researchers explain. “In order to carry out these attacks, the perpetrators must automate the process. DocuSign offers APIs for legitimate automation, which can be abused for these malicious activities.”

Since the messages come from a legitimate service, they’re much more likely to bypass security filters and fool human users. While this campaign abused DocuSign, the researchers note that attackers can use other e-signature and document services to launch these attacks as well.

“The exploitation of trusted platforms like DocuSign through their APIs marks a concerning evolution in cybercriminal strategies,” Wallarm concludes. “By embedding fraudulent activities within legitimate services, attackers increase their chances of success while making detection more challenging. Organizations must adapt by enhancing their security protocols, prioritizing API security, and fostering a culture of vigilance.”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Wallarm has the story.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Request a Demo!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/kmsat-security-awareness-training-demo



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews