Security researchers are seeing an explosion of phishing emails mimicking DocuSign messages, many of which are targeting businesses that routinely work with state and municipal agencies and licensing boards.
Between November 8 and 14, threat researchers with cybersecurity firm SlashNext saw a 98% increase in DocuSign phishing attacks over what they detected in September and October, with some of the researchers see hundreds of such incidents a day.
MSSPs are being urged to contact clients – particularly those involved with government and municipal operations – to proactively alert them about the threat and the need to verify the legitimacy of request sent via DocuSign.
“This threat is rapidly spreading and presents unique detection challenges due to its sophisticated nature,” Stephen Kowski, field CTO at SlashNext Email Security+, told MSSP Alert. “MSSPs should enhance their monitoring systems to identify DocuSign-related phishing attempts, while educating customers about proper verification procedures to maintain security against these evolving attacks.”
Abusing DocuSign
Hackers have long abused DocuSign APIs and used legitimate DocuSign accounts and templates to send authentic-looking business forms, such as invoices, that appear to come from real companies. Targets who e-sign the documents inadvertently authorize payments that are routed to bank accounts set up by the scammers.
Abnormal Security in May noted a “concerning uptick” in such attacks, attributing the surge to such factors as widespread adoption of the DocuSign platform in myriad industries and its trusted reputation. In addition, they also noted that dark web forums and marketplaces sell a range of templates and login credentials.
What’s concerning about the recent DocuSign phishing incidents is that many of bogus documents appear to come from government agencies, according to SlashNext. Agencies impersonated in the recent surge of attacks include the U.S. Department of Health and Human Services, Maryland Department of Transportation, the cities of Milwaukee, Houston, and Charlotte, North Carolina, and the North Carolina Licensing Board for General Contractors.
“This sophisticated campaign is particularly dangerous because it exploits the trusted relationship between businesses and their regulatory bodies,” Kowski wrote in the report.
Authenticity is Key
An attack can unfold in a number of ways, but it typically starts with the bad actor using legitimate accounts and APIS to create a DocuSign request that appears authentic. The DocuSign notification that appears to be coming from a legitimate agency could alert a company of a licensing renewal, a change order, a compliance issue, or a similar situation that needs to be fixed through a payment of some sort for reasons like cost overruns or bond.
“These attacks pose a dual threat for contractors and vendors – immediate financial loss and potential business disruption,” Kowski wrote. “When a fraudulent document is signed, it can trigger unauthorized payments while simultaneously creating confusion about actual licensing status. This uncertainty can lead to delays in bidding on new projects or maintaining current contracts.”
For such companies, there are industry-specific warning signs, including the unexpected timing for license renewals, unusual payment routing instructions, requests for immediate action on state contracts, or documentation requirements outside normal renewal periods.
“The sophistication of these attacks, combined with their focus on state-level interactions, makes them particularly dangerous for businesses that regularly engage with government agencies,” he wrote.
MSSPs Offer Guidance, Education
Like Kowski, Jason Soroko, senior fellow at security firm Sectigo, said it’s important to educate clients about these social engineering attacks and to prepare them to respond to such an incident. He also noted that MSSPs are implementing secure email gateways (SEGs) for their clients.
“SEGs can help to better filter inbound and outbound emails to detect and block phishing attempts, malicious attachments, and fraudulent senders,” Soroko told MSSP Alert. “MSSPs should be including heuristics to identify emails impersonating DocuSign. If possible, tuning the SEG with machine learning could result in blocking these social engineering attempts.”
