DocuSign's Envelopes API abused to send realistic fake invoices 11-11-2024, 03:12 PM
#1
Threat actors are abusing DocuSign's Envelopes API to create and mass-distribute fake invoices that appear genuine, impersonating well-known brands like Norton and PayPal.
Using a legitimate service, the attackers bypass email security protections as they come from an actual DocuSign domain, docusign.net.
The goal is to have their targets e-sign the documents, which they can then use to authorize payments independently from the company's billing departments.
Sending realistic signature requests
DocuSign is an electronic signature platform that enables digitally signing, sending, and managing documents.
The Envelopes API is a core component of DocuSign's eSignature REST API, allowing developers to create, send, and manage document containers (envelopes) that define the signing process.
The API is meant to help customers automate the sending of documents that need signing, track their status, and retrieve them when signed.
According to Wallarm security researchers, threat actors using legitimate paid DocuSign accounts ary abusing this API to send fake invoices that mimic the look and feel of reputable software firms.
Those users enjoy full access to the platform's templates, allowing them to design documents that resemble the impersonated entity's branding and layout.
Next, they use 'Envelopes: create' API function to generate and send a high volume of fraudulent invoices to many potential victims.
Wallarm says the fees presented in these invoices are kept to a realistic range to increase the sense of legitimacy of the signing request.
"If users e-sign this document, the attacker can use the signed document to request payment from the organization outside of DocuSign or send the signed document through DocuSign to the finance department for payment," explains Wallarm.
"Other attempts have included different invoices with different items, usually following the same pattern of getting signatures for invoices that then authorize payment into the attackers bank accounts."
Source/
Using a legitimate service, the attackers bypass email security protections as they come from an actual DocuSign domain, docusign.net.
The goal is to have their targets e-sign the documents, which they can then use to authorize payments independently from the company's billing departments.
Sending realistic signature requests
DocuSign is an electronic signature platform that enables digitally signing, sending, and managing documents.
The Envelopes API is a core component of DocuSign's eSignature REST API, allowing developers to create, send, and manage document containers (envelopes) that define the signing process.
The API is meant to help customers automate the sending of documents that need signing, track their status, and retrieve them when signed.
According to Wallarm security researchers, threat actors using legitimate paid DocuSign accounts ary abusing this API to send fake invoices that mimic the look and feel of reputable software firms.
Those users enjoy full access to the platform's templates, allowing them to design documents that resemble the impersonated entity's branding and layout.
Next, they use 'Envelopes: create' API function to generate and send a high volume of fraudulent invoices to many potential victims.
Wallarm says the fees presented in these invoices are kept to a realistic range to increase the sense of legitimacy of the signing request.
"If users e-sign this document, the attacker can use the signed document to request payment from the organization outside of DocuSign or send the signed document through DocuSign to the finance department for payment," explains Wallarm.
"Other attempts have included different invoices with different items, usually following the same pattern of getting signatures for invoices that then authorize payment into the attackers bank accounts."
Source/
![[Image: MoxYchq.png]](https://i.imgur.com/MoxYchq.png)
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)