Malicious actors have begun misusing DocuSign’s Envelopes API to distribute fraudulent invoices that mimic well-known brands, including Norton and PayPal. By leveraging a legitimate platform attackers bypass traditional email security defenses, making their emails appear trustworthy and credible to recipients.

The fraudulent invoices are sent directly through the DocuSign electronic signature service. Phishing emails often include legitimate-looking documents that prompt recipients to sign off on payments, independently of their company’s finance department.

Attackers create and pay for legitimate DocuSign accounts, giving them access to the platform’s full suite of tools, including template customization and API access. They then craft templates that replicate legitimate e-signature requests from recognizable brands, often including details such as accurate pricing for specific products and additional charges (a $50 activation fee).

The invoices typically request an e-signature, which, once provided, gives attackers the authorization to demand payment directly from a company’s finance team or an organization’s banking department. Some invoices even include direct wire instructions or purchase orders, which, if executed, transfer funds directly to the attacker’s bank accounts.

“Because the invoices are sent directly through DocuSign's platform, they look legitimate to the email services and spam/phishing filters. There are no malicious links or attachments; the danger lies in the authenticity of the request itself,” Wallarm researchers wrote in their report.

According to Wallarm, the number of such malicious campaigns have surged over last five months, so its strongly advised that organizations take steps to avoid falling victim to such attacks. The measures include verifying sender credentials, requiring internal approvals, conducting awareness training, and monitoring for anomalies.