Docusign API Abused in Widescale, Novel Invoice Attack

Cybercriminals are abusing a Docusign API in a widescale, innovative phishing campaign to send fake invoices to corporate users that appear authentic and likely would not trigger typical security defenses or user suspicions, as many similar scams might.

The campaign to defraud organizations, observed over the last several months, involves attackers creating a legitimate, paid Docusign account using the software that allows them to change templates and use the API directly, researchers at security firm Wallarm revealed in a blog post published this week.

Attackers are taking advantage of Docusign's "API-friendly environment," which while beneficial for businesses, also "inadvertently provides a way for malicious actors to scale their operations," according to the post.

Specifically, the researchers observed abuse of Docusign's "Envelopes: create API" to send one of what turned out to be a significant volume of automated emails to multiple users and recipients directly from the platform, they said. The messages use specially crafted templates "mimicking requests to e-sign documents from well-known brands," which are mainly software companies such as Norton Antivirus, according to the post by Wallarm.

Fake invoices employed in the campaign also leverage an array of other tactics to lend authenticity to the scam. These include offering accurate pricing for a company's products; the addition of expected kinds of charges, such as an activation fee; the inclusion of direct wire instructions or purchase orders; and the sending of different invoices with different items.

Related:City of Columbus Drops Case on Cyberattack Whistleblower

Ultimately, if a user e-signs the document, a threat actor can use it to request payment from organizations outside of Docusign or send the signed document through Docusign to the finance department for compensation, thus committing fraud.

The attack vector may not be limited to Docusign, Wallarm researchers warned; other e-signature and document services could be equally vulnerable to similar exploitation tactics.

A New Type of Fake Invoice Scam

Fake invoices are often a part of financially motivated phishing scams, and Docusign — which offers enormously popular software for digital signatures with more than 1.5 million paying customers and 1 billion users worldwide — is often a target for phishers. An API-based attack, however, can potentially be more effective than scams that simply use name recognition or impersonate the brand, for a number of reasons.

Chief among them is that because the emails come directly from Docusign, they "look legitimate to the email services and spam/phishing filters," according to Wallarm's post. "There are no malicious links or attachments; the danger lies in the authenticity of the request itself."

Related:EmeraldWhale's Massive Git Breach Highlights Config Gaps

Indeed, because the attack uses an API exploit, "there probably won’t be many signs that would be easy to spot as in a spoofed email," Erich Kron, security awareness advocate at KnowBe4, observes. Moreover, the popularity of Docusign makes the service "a great target for this sort of attack" at a large scale due to the potential for automation by exploiting the API, he says, adding, "people put their trust in brands they recognize and know, especially those that are used often in legal or other official capacities."

Mitigating E-Sign Cyberattacks, API Abuse

Fortunately, there are a number of ways that organizations can protect themselves from being defrauded by such convincing attacks, as well as strategies that service providers like Docusign can take to avoid or detect API abuse, according to Wallarm.

Organizations should always double-check the sender's email address and any associated accounts for legitimacy, as well as implement strict internal procedures for approving purchases and financial transactions that involve multiple team members, if possible.

Related:Business Email Compromise (BEC) Impersonation: The Weapon of Choice of Cybercriminals

"It's fascinating to see how sophisticated cybercriminals have become, leveraging legitimate tools like Docusign to craft realistic phishing attacks," says Randolph Barr, CISO at Cequence. "This highlights the importance of verifying the source of any document signing request, even if it appears to come from a trusted source. [Organizations] should emphasize the importance of pausing and verifying before taking any action, even if it seems urgent. Additionally, IT and security teams must stay informed about the latest attack methods and techniques to effectively protect their organizations."

Keeping a close eye on unexpected invoices or requests, especially those that include unusual charges or fees, also can help organizations avoid paying criminals rather than legitimate entities.

Service providers also can take responsibility for mitigating API-based attacks by understanding how APIs may be abused in phishing attacks by conducting regular threat modeling exercises to identify potential attack vectors. They also can apply rate limits to specific API endpoints to prevent attackers from scaling in cases of API abuse, according to the researchers.

Don't miss the latest Dark Reading Confidential podcast, where we talk about NIST's post-quantum cryptography standards and what comes next for cybersecurity practitioners. Guests from General Dynamics Information Technology (GDIT) and Carnegie Mellon University break it all down. Listen now!