They stole your contracts, then sent lures from your brand
An e-signature platform holds executed agreements, signer PII, and a channel recipients are conditioned to open and sign. A stolen token does double damage: bulk-download the contracts, then send phishing from your trusted account. Here is the abuse, and the fix.
The most dangerous phishing email is the one your recipients were already trained to sign.
What it is
An e-signature platform holds executed contracts and signer PII, and it is a trusted channel people open and sign without hesitation. An attacker with a stolen API token or an over-scoped connected app downloads completed envelopes and their documents in bulk, then sends new envelopes from the trusted account as a lure. This is T1078 (valid accounts) with T1528 (steal application access token), T1213 (data from repositories), and T1567 (exfiltration over a web service).
Why it works
The API and envelope sends are normal platform activity, so abuse blends in, and a token authenticates with no MFA prompt. The brand recipients trust is now the attacker’s phishing channel.
How to detect it
Look for an existing token used from an unfamiliar IP that bulk-downloads completed envelopes and sends new ones, outside any integration pattern, in the platform’s API and envelope logs.
The fix that holds
Revoke the token and any connected app, and suspend the attacker’s in-flight envelopes. Then use least-scope short-lived tokens with IP allowlisting, require admin approval for connected apps, keep tokens out of code, and alert on bulk downloads and unusual send volume. Warn the recipients who were lured using your brand.
Practice it
We built an e-signature token-abuse scenario in GraphLattice Range so teams learn to stop both the exfiltration and the brand-abuse phishing, and warn the lured recipients.