秋葵视频色 Blocks Major Form & Survey Abuse Attacks Targeting Microsoft 365 Users

Threat Alert
David Pickett | Thu, 07/09/2020 - 18:08
DHL spoof site

Over the past 24 hours alone, 秋葵视频色/AppRiver advanced email threat protection filters have stopped over 88,000 messages attempting to abuse legitimate forms and survey services. The total count of blocked attacks jumps to an astonishing 590,000 messages over the course of the past week. These numbers provide a glimpse into just how pervasive living off the land attacks have recently become.

In July of 2019, we聽聽how attackers were abusing Microsoft Office Excel & Forms Online Surveys to host credential harvesting sites on the service without the need for聽an external phishing site. These malicious schemes were on Microsoft's radar too, as they added聽聽in this same time period. Since then, attackers have rapidly warmed up to the idea of launching聽more Living Off the Land (LOtL) attacks by abusing a variety of legitimate form and survey providers.

Top Abused Providers & Metrics

Metrics derived from our advanced email protection filters聽for these聽LOtL attacks indicate they聽have increased over time. Currently, the highest volume of聽blocked messages abusing聽the legitimate providers in order from greatest to least volume are:

  1. Google Forms
  2. Microsoft Forms聽
  3. SurveyGizmo Surveys
  4. HubSpot Forms聽
Microsoft Forms Abuse Example
Microsoft Forms Abuse Example

A Growing Trend to Intermediary Redirect/Jump Pages

While not a new tactic, there has聽been a growing trend by these attackers over the past months to utilize an intermediary redirect/jump page before the credential harvesting page.聽These threat actors聽still rely upon聽the legitimate provider for聽the initial link, but then attempt聽to either automatically redirect or trick聽the user into manually clicking onward to the page designed to solicit and steal user credentials.聽

This tactic is used for a variety of聽reasons:

  • The most obvious - these links are for legitimate services, this helps to defeat user awareness training when looking for suspicious links.
  • Certain providers are becoming more effective at identifying this type of abuse on their site and removing the page faster.
  • Allows the attacker to autonomously聽switch聽phishing links in their email campaigns once聽the intermediary聽site聽is discovered and removed by the service. This allows the attacker to save time and resources from having to set up a new credential harvesting site. They can direct聽a聽bot to聽identify when the site is removed. Once removed,聽they聽automatically change the link in the sending scripts for continuity in the聽phishing campaigns to ensure continuity of the attack with little to no downtime.
DHL Spoofing Email Abusing Google Dynamic Link to Forms
DHL Spoofing Email Abusing Google Dynamic Link to Forms

Not already a 秋葵视频色 email threat protection customer?聽Learn how 秋葵视频色鈥檚 advanced threat protection solutions can help keep your organizations safe against living off the land attacks.