Significant surge in DocuSign impersonation attacks: hackers mimicking government


Attackers are dropping hundreds of instances of new malicious DocuSign phishing links every day, and they appear authentic, cybersecurity firm SlashNext warns.

In a single week from November 8-14th, the observed instances of DocuSign phishing links were 98% higher compared to all of September and October. Researchers say they are seeing hundreds of instances each day.

Fraudsters are busy impersonating government agencies, commercial contractors, and municipal projects to target businesses with fake documentation, such as licensing renewals, compliance demands, contract modifications, and others.

ADVERTISEMENT

“These attacks pose a dual threat for contractors and vendors – immediate financial loss and potential business disruption,” the report by SlashNext reads.

“When a fraudulent document is signed, it can trigger unauthorized payments while simultaneously creating confusion about actual licensing status. This uncertainty can lead to delays in bidding on new projects or maintaining current contracts.”

Companies use DocuSign's electronic signature service to manage documents online – to securely send, sign, and store documents.

What makes this impersonation tactic successful?

A typical attack scenario revolves around an official DocuSign request, which appears authentic. Malicious actors create templates using legitimate DocuSign accounts and APIs. For example, a general contractor may receive a request from their state licensing board.

“A North Carolina commercial contractor receives an urgent DocuSign request supposedly from the NC Licensing Board. The document states their $12 million hospital construction project is at risk of immediate shutdown because of a compliance issue. The notice demands a $85,000 “emergency compliance bond” to prevent work stoppage. The time pressure and potential project impact make the contractor vulnerable to acting quickly without proper verification,” the researchers said, providing an example of the scam.

In another case, a contractor in Milwaukee received a DocuSign notification about a $2.8 million renovation project that mimicked the City’s Department of Public Works. The forged document required an immediate signature for additional materials and labor costs of $175,000.

“The contractor, familiar with such change orders and eager to avoid project delays, signs the document without verifying through their usual city contact,” the researchers said.

ADVERTISEMENT
docusign-scam
Image by SlashNext.

These sophisticated campaigns are particularly dangerous, as they attempt to exploit trusted relationships. Cybercriminals target businesses during predictable licensing cycles and include accurate pricing and terminology.

Attackers use legitimate DocuSign infrastructure and bypass traditional email security tools.

Previously attackers have been also observed to use Docusign links for phishing or to send realistic fraudulent invoices, impersonating Norton, PayPal, and other famous brands.

Wallarm, an API Security platform, released a report on fake invoices that appear strikingly authentic.

“An attacker creates a legitimate, paid DocuSign account that allows them to change templates and use the API directly. The attacker employs a specially crafted template mimicking requests to e-sign documents from well-known brands, mostly software companies; for example, Norton Antivirus,” Wallarm explained the scheme.

fake-invoice-docusign
Image by Wallarm.

If users sign the forged document, attackers then proceed to request payments from the organization’s finance department or the outside organization.

This attack vector is not limited to DocuSign – other e-signature and document services could be equally exploitable.

ADVERTISEMENT

“It's fascinating to see how sophisticated cybercriminals have become, leveraging legitimate tools like DocuSign to craft realistic phishing attacks. This highlights the importance of verifying the source of any document signing request, even if it appears to come from a trusted source,” said Randolph Barr, CISO at Cequence.

Barr suggests organizations should prioritize ongoing security awareness training to combat this threat.

vilius Ernestas Naprys Gintaras Radauskas justinasv
Don’t miss our latest stories on Google News

“This training should emphasize the importance of pausing and verifying before taking any action, even if it seems urgent. Additionally, IT and security teams must stay informed about the latest attack methods and techniques to effectively protect their organizations.”

DocuSign previously told BleepingComputer that it is aware of the reports and takes them very seriously. The company has a “number of technical systems and teams in place to help prevent misuse of our services.”