Attackers Used Legitimate SurveyMonkey Domain to Bypass Security Filters

Hackers have been abusing legitimate survey forms to host credential harvesting sites on online platforms without the need for any external tool or phishing site, which is often termed as Living Off the Land (LOtL) attacks. Recently, phishers used the surveying site SurveyMonkey to host redirect links to a phishing webpage.

What was the attack?

The phishing emails in the campaign, containing a malicious link to steal Microsoft credentials of employees, hit almost 15,000 to 50,000 mailboxes.
  • In this phishing campaign, Abnormal Security found that the hackers sent the emails from a real SurveyMonkey domain (surveymonkeyuser[.]com) but changed the reply-to domain using a hidden redirect link.
  • The redirect link was hidden as the text “Navigate to access statement” with a brief message. “Please do not forward this email as its survey link is unique to you.” Upon clicking, the link redirects to a site hosted on a Microsoft form submission page. The form tricks users into entering their Office 365 login credentials.
  • Users may be primed to think that the login page is there to validate whether the responses are from the legitimate recipient of the email. However, if they provide their credentials, their user account would be compromised.

Pervasive living off the land attacks

In recent times, attackers have rapidly warmed up to the idea of launching more living off the land attacks by abusing a variety of legitimate forms and survey providers.
  • In July 2020, during Wastedlocker ransomware attacks, hackers used malicious Cobalt Strike software and several living-off-the-land tools to steal credentials, escalate privileges, and move across the network.
  • In June 2020, the Evil Corp group used a number of living-off-the-land tools and malicious Cobalt Strike software to steal credentials, escalate privileges, and move across the network.

Ongoing trend

Earlier this month, Zix Corporation had blocked almost 590,000 spam messages and stopped over 88,000 messages attempting to abuse legitimate forms and survey services through living off the land attacks.