Threat actors are abusing the APIs of trusted e-signing services platform DocuSign to send out convincing invoices in a new phishing campaign.
In a research published this week, Cybersecurity firm, Wallarm, revealed that the campaign deviates from conventional phishing methods, which rely on deceptively crafted emails and malicious links, to evade detection tools.
“These incidents use genuine DocuSign accounts and templates to impersonate reputable companies, catching users and security tools off guard,” Wallarm noted.
Unlike conventional phishes, the firm noted that there are no malicious links or attachments involved in this campaign.
Abusing DocuSign for authenticating payments
Attackers create a legitimate, paid DocuSign account that allows them to change templates which they use to craft special templates mimicking requests to e-sign documents from well-known brands, such as Norton AntiVirus.
These fraudulent invoices might feature correct product prices to appear genuine, along with extra charges, such as a $50 activation fee. In other cases, they may include direct wire instructions or purchase orders, Wallarm added.
Since the invoices are sent directly via DocuSign, they appear legitimate to email services and bypass spam or phishing filters. Without the traditional links or attachments, the risk stems from the credibility of the request itself.
User reports of these malicious campaigns have risen significantly in the last five months which has spiked discussions in the DocuSign community.
Attack beyond impersonation
The research noted that the campaign does not stop at impersonating companies, and goes on to infiltrate legitimate communication channels to execute their attacks.
“The longevity and breadth of the incidents reported in DocuSign’s community forums clearly demonstrate that these are not one-off, manual attacks,” Wallarm added. “In order to carry out these attacks, the perpetrators must automate the process.”
The automation is achieved through DocuSign APIs. One such endpoint includes the “Envelopes:create API,” a DocuSign container for documents that enables developers to automate sending documents for signing.
To protect against such sophisticated campaigns, individuals and organizations can implement stringent verification processes, induce phishing training for employees, and enable multi-factor authentication for sensitive transactions.
