Security researchers are warning of a new phishing campaign that uses malicious emails from legitimate SurveyMonkey domains in a bid to bypass security filters.
The phishing emails in question are sent from a real SurveyMonkey domain but crucially have a different reply-to domain, according to Abnormal Security.
“Within the body of the email is a hidden redirect link appearing as the text ‘Navigate to access statement’ with a brief message ‘Please do not forward this email as its survey link is unique to you’” it explained.
“Clicking on the link redirects to a site hosted on a Microsoft form submission page. This form asks the user to enter their Office 365 email and password. If the user is not vigilant and provides their credentials, the user account would be compromised.”
The attack is effective for several reasons: its use of a legitimate SurveyMonkey email sender, the concealing of the phishing site URL and the description of the email as unique to every user.
“Users may be primed to think that the login page is there to validate that their responses are from the legitimate recipient of the email. Thus, the behavior isn’t unexpected,” argued Abnormal Security.
David Pickett, senior cybersecurity analyst at ZIX, explained that attacks like these are increasingly common: he claimed that the vendor blocked around 590,000 phishing emails abusing legitimate services like SurveyMonkey in the past week alone.
“Credential phishing using legitimate survey forms is a favorite attack vector by quite a few different groups over the past two years,” he added.
“We track these ‘living off the land’ attacks and have found that the most often abused legitimate forms/survey providers in order from greatest to least volume are Google, Microsoft, SurveyGizmo and HubSpot.”