Malicious actors are exploiting DocuSign to send fake invoices

A new report reveals that malicious actors are exploiting APIs in DocuSign to send fake invoices. These invoices appear authentic and leverage legitimate DocuSign accounts to impersonate reputable companies, making this campaign stand apart from other phishing attempts. This method can deceive both users and traditional security measures. 

John Waller, Cybersecurity Practice Lead at Black Duck, shares his thoughts on the scheme. “What stands out in this scheme is not just the abuse of the API itself, but the specific way attackers are leveraging DocuSign’s API capabilities to send requests that blend seamlessly with typical business operations. By using paid accounts, attackers gain API access that enables the customization and automation of these fraudulent requests at scale, replicating legitimate workflows without tripping typical security triggers. This bypasses conventional phishing filters because the API-enabled invoices are genuine DocuSign documents, without any malicious links or attachments. This type of API misuse signals a shift toward exploiting application trust rather than exploiting system vulnerabilities, which in turn indicates the need not just for a renewed focus on API monitoring, but for adaptive detection mechanisms to identify suspicious usage patterns.”

Malicious emails that come from trusted sources are typically harder to identify, which is what this campaign relies on. Targets who sign these documents will then authorize a payment, often directly to the account of the malicious actor. 

Stephen Kowski, Field CTO SlashNext Email Security+, states, “The rise in DocuSign API exploitation represents a broader shift in multichannel attack sophistication. Cybercriminals are moving beyond traditional email phishing to leverage trusted platforms and automation for mass-scale fraud. By exploiting legitimate business tools and APIs, attackers can now orchestrate high-volume campaigns that obviate traditional email security controls while maintaining the appearance of authenticity through real platform accounts and branded templates. Modern security strategies must expand beyond traditional email protection to encompass all messaging channels, particularly browser-based communications. 

“Prioritize strategies with advanced behavioral analysis and real-time detection capabilities that can identify suspicious patterns in seemingly legitimate business workflows, especially when trusted platforms are weaponized for fraud at scale. The ability to automate these attacks through APIs means organizations need sophisticated detection systems that can analyze both the technical and contextual aspects of communications, even when they come from legitimate services and domains.”