Security researchers warn of a new phishing campaign that uses malicious emails from legitimate SurveyMonkey domains to bypass security filters.
The phishing emails in question are sent from an actual SurveyMonkey domain but mostly have a different reply domain, according to Abnormal Security.
“In the body of the email is a hidden redirect link appearing in the form of the text” Navigate to access statement “with a brief message” Please do not forward this email because its link is investigation is your own, ”he explained.
“Clicking on the link takes you to a site hosted on a Microsoft form submission page.” This form asks the user to enter their Office 365 email and password. If the user is not vigilant and provides their credentials, the user account would be compromised.
The attack is effective for several reasons: its use of a legitimate SurveyMonkey email sender, hiding the phishing site URL, and describing the email as unique to each user.
“Users may be tricked into thinking that the login page is there to validate that their responses are coming from the legitimate recipient of the email. So the behavior is not unexpected, ”argued Abnormal Security.
David Pickett, senior cybersecurity analyst at ZIX, explained that attacks like these are becoming more common: he claimed that the provider blocked around 590,000 phishing emails abusing legitimate services like SurveyMonkey over the course of of the last week alone.
“Credential phishing using legitimate survey forms has been a preferred attack vector by a number of different groups over the past two years,” he added.
“We are tracking these ‘living off the land’ attacks and have found that the most commonly abused legitimate forms / survey providers, large to smallest volume, are Google, Microsoft, SurveyGizmo, and HubSpot. “