Cybercriminals are exploiting DocuSign’s APIs to send highly authentic-looking fake invoices, while DocuSign’s forums have reported a rise in such fraudulent campaigns in recent months.

Unlike typical phishing scams that rely on spoofed emails and malicious links, these attacks use legitimate DocuSign accounts and templates to mimic reputable companies, according to a Wallarm report.

By leveraging DocuSign’s API-friendly platform, attackers can create and distribute customized invoices that match the branding of well-known companies like Norton, bypassing traditional spam and phishing filters.

The scheme typically involves attackers creating paid DocuSign accounts, enabling them to build realistic templates that include accurate product pricing and additional fees.

Victims who e-sign these documents inadvertently authorize payments, often routed to the attackers’ bank accounts outside of DocuSign.

The authenticity of the platform and lack of malicious links make these attacks difficult to detect, posing a significant security challenge.

APIs Suffer From Vulnerabilities

Ivan Novikov, CEO of Wallarm, said it’s important to distinguish between vulnerabilities, flaws in code and API abuse.

“APIs definitely suffer from vulnerabilities,” he said. “Our research shows a prevalence of authentication and authorization issues, including APIs that simply don’t have authentication, but should. Abuse is often different.”

He explained that API abuse often takes an API’s expected capabilities and then uses them for malicious purposes, like scraping data or performing some normal operation at a scale that wasn’t expected.

“API abuse can be hard to detect because technically the API isn’t doing anything wrong,” Novikov said.

The attacks rely on the tendency for an invoice to get signed without much scrutiny, especially if it’s for a small dollar amount or from a known vendor.

“The best way to prevent that from happening is to put in place additional verification,” he said.

Novikov recommended verifying the sender is correct and associated with the vendor.

“Verify that the invoice is expected with internal approvals, he added. “Don’t just sign documents that aren’t expected.”

For organizations like DocuSign, there are a few actions that can be taken, starting with understanding the threat, and that can be done with threat modeling exercises.

“Specifically look at your APIs and how they could be abused to assess the relative threats,” Novikov said. “Then, apply security controls based on that assessment.”

For example, API-specific rate limiting can help reduce the risk of attacks at scale.

“Implementing tools that can specifically look for API abuse, using machine learning to identify anomalies, can also help,” he explained.

Employee Training, Behavioral Monitoring

Mike Britton, CIO of Abnormal Security, said while employee awareness training can help keep phishing at bay, it’s important to not overestimate the importance of this.

“Users will always need to be aware of phishing, but modern attackers now know how to ‘hack the human’ and protecting your business requires layering awareness training with prevention methods further up the chain,” he said.

By using behavioral analytics, for example, organizations can understand what “normal” email and SaaS behavior looks like for every entity in their environment, and then detect deviations that indicate malicious activity — neutralizing those threats before they ever reach users.

From Britton’s perspective, behavioral monitoring is one of the most effective methods for detecting and stopping these attacks.

“Rate limit is great for ‘pray and spray’ types of attacks but an attacker that is specifically targeting an organization is aware of these types of controls and will slow down their attack to not trigger any rate alerts,” he said.

Novikov explained threat modeling requires that you think like an attacker and, in this case, that you understand the APIs involved.

“These are the two primary skill sets for effective threat modeling for e-signature providers,” he said. “But there’s a third, vitally important, skill needed as well.”

Threat modeling requires that you prioritize the threats, as not every corner case is equally valid, and you likely can’t address every threat you come up with.

“A group of people with these skills can perform reasonable threat modeling,” Novikov said.