Skip to main content

Hi everyone,

I recently came across this article: Attackers Abuse DocuSign API to Send Authentic-Looking Invoices at Scale

It highlights how attackers are exploiting the DocuSign API to distribute fraudulent invoices that appear legitimate, potentially affecting many organizations.

I'm interested to know if others have encountered this issue or have any insights on how to address it. What steps are your organizations taking to mitigate this risk? Are there any best practices or recommendations you'd be willing to share?

Looking forward to your thoughts and suggestions.

Hello @JohnSantos ,

Thank you for reaching out here in the Docusign Community.

We are aware of the reports and take them very seriously. While, in the interest of security, we don’t disclose specifics that could alert bad actors to our prevention tactics, Docusign has a number of capabilities, technical systems and teams in place to help prevent misuse of our services.

We employ continuous multi-layered monitoring of our systems to identify behaviors and signals that are associated with fraud and illegal activity so we can prevent at the outset improper activities, and in other cases, quickly detect, respond to, and protect against suspicious behavior, using both automated and manual response measures.

  • On average, the Docusign team investigates and closes suspicious accounts within 24 hours of the activity being detected or reported.
  • When suspicious accounts are reported, the vast majority of those accounts have already been detected by Docusign’s systems and are either under investigation or have already been closed.
  • Once an account is closed, all envelopes sent from the account are no longer accessible by the recipient or sender.

Sadly, phishing is on the rise globally. Preventing attackers is a team effort among corporations and consumers — you can find more on our proactive efforts and deterring techniques here.
If you suspect you have received a message from a fraudulent Docusign account, you can report it using the “Report This Email” link found at the bottom of the Docusign envelope email notification you received or through your account using these instructions.

Let us know if you need further assistance with this.


Best regards,

Nathaly | Docusign Community Moderator
"Select as Best" below if you find the answer a valid solution to your issue!


Thank you @nathaly.monge 


Hello @JohnSantos ,

Thank you for reaching back.

Glad to be of help. I hope you have a great day!


Best regards,

Nathaly | Docusign Community Moderator
"Select as Best" below if you find the answer a valid solution to your issue!


I’ve reviewed the article highlighting a potential security risk where attackers may exploit the DocuSign API to send authentic-looking invoices at scale. This concern primarily arises from scenarios where an admin account’s credentials are compromised without Multi-Factor Authentication (MFA) enabled, or where JWT integration information is exposed, allowing attackers to take control of accounts and send malicious envelopes, potentially launching supply chain attacks.

 

I believe DocuSign could take a page from Okta’s security model by enforcing MFA for admin accounts, ideally incorporating options like Google Authenticator or, even better, FIDO2-compliant solutions such as Yubikey with WebAuthn MFA. Additionally, restricting JWT integrations by IP address or ASN (Autonomous System Number) would add another layer of security. This would prevent API calls from unauthorized locations, even if the JWT is compromised. Many of our clients have expressed a strong need for these types of controls.

 

As a partner of Okta, SentinelOne, and Yubico, we prioritize our clients’ information security. In addition, we would welcome a feature allowing admins to configure email notifications or api integration for envelopes to go through an approval flow—ideally with oversight from security or legal departments. This step could act as a safeguard, as end-users in business departments might have limited security awareness and could inadvertently interact with phishing emails. The legal team, for example, would benefit from reviewing documents for any legal risks before signing, as the article mentions cases where phishing attacks have led to financial authorizations being compromised.

 

We hope DocuSign will continue strengthening security measures in these areas to mitigate the risk of significant financial loss for clients. Thank you for considering these suggestions.

 

FreeLink/甫连信息
🌍 DocuSign Partner | Partner Profile
🏆 2024 APAC Reseller Growth Partner of the Year
🔧 The first in APAC to pass the DocuSign eSignature Technical Consultant certification.
🚀 Expertise in DocuSign integrations with on-premises systems for leading enterprises across various industries.
Feel free to reach out for collaboration opportunities.


Reply