Security researchers from Abnormal Security discovered a new phishing campaign targeting Microsoft Office 365 users via a legitimate SurveyMonkey domain to evade security filters. The hackers sent a lookalike SurveyMonkey domain link to Office 365 users prompting them to participate in a survey. On clicking, it redirected them to a phishing site that asked users to enter email login credentials and other sensitive information. The malicious survey links targeted almost 15,000 to 50,000 Office 365 users.
“Within the body of the email is a hidden redirect link appearing as the text Navigate to access statement, with a brief message, “Please do not forward this email as its survey link is unique to you.” But clicking on the link redirects to a site hosted on a Microsoft form submission page. This form asks the user to enter their Office 365 email and password. If the user is not vigilant and provides their credentials, the user account would be compromised,” the researchers said.
Effective Phishing
The researchers stated that the malicious URL is not visible within the email body text, making it difficult for users to identify. The first URL redirects to a legitimate SurveyMonkey link and then lands to a phishing site.
“As these emails originated from the legitimate SurveyMonkey email address, and the body of the email contains a link to the real survey monkey domain, one would easily believe the email to be benign. However, it is not until the second redirect where the user is led to a phishing page that the attacker controls,” researchers added.
Growing Attacks on MS Office 365
Multiple cyberattacks have been reported on MS Office 365 tools earlier. Another research claimed that hackers used a fake Office 365 website to trick users into downloading the TrickBot password-stealing Trojan masked as Chrome and Firefox browser updates. The security team explained that the fake site gives a pop-up stating that the user’s browser needs an update. When the user clicks on the update option, an executable file, named upd365_58v01.exe, gets downloaded and installs the TrickBot information-stealing Trojan to exploit the system.
