Cybercriminals are leveraging DocuSign’s Envelopes API to email fake invoices that victims are e-signing and the attackers then use to get corporate billing departments to authorize payments.
In a Nov. 5 blog post, Wallarm researchers said there have been continued reports over the last five months of the highly automated malicious campaigns on the DocuSign community forums.
The researchers said these users highlight a concerning pattern: attackers are not only impersonating companies, they are embedding themselves within legitimate communication channels to execute their attacks.
According to the Wallarm researchers, unlike traditional phishing scams that rely on deceptively crafted emails and malicious links, the attackers set up genuine DocuSign accounts and templates to impersonate reputable companies such as PayPal or Norton, catching users and security tools off guard.
Here’s how it works: An attacker creates a legitimate, paid DocuSign account that lets them change templates and use the API directly. The attacker then sends via email a specially crafted template that mimics requests to e-sign documents from the well-known brands.
What stands out in this scheme is not just the abuse of the API itself, but the specific way attackers are leveraging DocuSign’s API capabilities to send requests that blend seamlessly with typical business operations, said John Waller, cybersecurity practice lead at Black Duck. Waller said that by using paid DocuSign accounts, attackers gain API access that enables the customization and automation of these fraudulent requests at scale, replicating legitimate workflows without tripping typical security triggers.
“This bypasses conventional phishing filters because the API-enabled invoices are genuine DocuSign documents, without any malicious links or attachments,” said Waller. “This type of API misuse signals a shift toward exploiting application trust rather than exploiting system vulnerabilities, which in turn indicates the need not just for a renewed focus on API monitoring, but for adaptive detection mechanisms to identify suspicious usage patterns.”
Itzik Alvas, co-founder and CEO at Entro Security, added that APIs are often exploited to offer attackers outsized access to backend infrastructure and resources. Alvas said after compromising an API, attackers quickly move laterally to identify and compromise additional exposed human and non-human identities (NHIs) throughout the environment.
“The DocuSign API exploit is one such example of attackers leveraging compromised NHIs to present as official DocuSign communication, and expand the scope of their attack beyond DocuSign’s APIs to impacting their customers and employees,” said Alvas.
The rise in DocuSign API exploitation represents a broader shift in multichannel attack sophistication, explained Stephen Kowski, Field CTO at SlashNext Email Security. Kowski said cybercriminals are moving beyond traditional email phishing to leverage trusted platforms and automation for mass-scale fraud.
“By exploiting legitimate business tools and APIs, attackers can now orchestrate high-volume campaigns that obviate traditional email security controls while maintaining the appearance of authenticity through real platform accounts and branded templates,” said Kowski. “Modern security strategies must expand beyond traditional email protection to encompass all messaging channels, particularly browser-based communications.”
