Threat actors are abusing DocuSign to deliver emails to unsuspecting users and bypass email protection mechanisms, Wallarm warns.

Unlike traditional phishing, which involves spoofed email messages mimicking known brands aimed at harvesting credentials or installing malware, this campaign relies on the trusted e-signing service to deliver malicious content.

Specifically, threat actors have been creating legitimate, paid DocuSign accounts enabling them to change templates and access the service’s APIs directly.

Next, the miscreants create a template that mimics the requests to e-sign documents from well-known brands, such as software companies, and send these to the unsuspecting victims.

The messages may come in the form of fake invoices containing pricing information or direct wire instructions. The invoices typically follow a pattern of requesting signatures that would authorize payment directly into the attackers’ accounts.

“If users e-sign this document, the attacker can use the signed document to request payment from the organization outside of DocuSign or send the signed document through DocuSign to the finance department for payment,” Wallarm explains.

The invoices come directly from DocuSign’s platform and contain no malicious links or attachments, meaning that spam/phishing filters consider them legitimate.

Numerous users have been flagging such malicious invoices, with the complaints noticeably increasing over the past five months. In addition to impersonating popular brands, the threat actors have been “embedding themselves within legitimate communication channels to execute their attacks”.

According to Wallarm, the longevity of the campaign suggests that the attackers are using an automated process, likely abusing the legitimate APIs that DocuSign offers for automation.

One of the DocuSign endpoints, for example, can be abused to send a large number of fake invoices with minimal manual intervention.

“DocuSign’s API-friendly environment, while beneficial for businesses, inadvertently provides a way for malicious actors to scale their operations. With paid accounts and access to official templates, attackers can customize invoices to match the branding of target companies, including unauthorized use of trademarks,” Wallarm explains.

While this campaign abuses DocuSign, other e-signing services could be vulnerable to similar tactics, prompting providers to conduct threat modeling and implement security controls, implement API rate limits, and employ tools to detect API abuse and anomalous activities.

Organizations should always check the sender’s email address, implement internal procedures for approving purchases, train their employees to spot fraudulent invoices, monitor email accounts for invoices, and follow DocuSign’s guidance on voiding phishing.

Related: Law Enforcement Dismantles Phishing Platform Used for Unlocking Stolen Phones

Related: OHSU Apologizes After Phishing Test Draws Complaints

Related: Chase Bank Heavily Targeted Via XBALTI Phishing Kit

Related: FINRA Warns of Ongoing Phishing Attacks Targeting Brokerage Firms