Between May 5 and 7, 2025, bad actors launched a subtle but smart phishing campaign using the European Commission’s own survey platform. The attack wasn’t broad, but it was sharp, leveraging the credibility of an EU-linked domain to slip past defenses and harvest credentials.
KnowBe4 Threat Lab spotted it early. The phishing emails came from a legitimate sender: [email protected]. That’s not a spoof, but a real domain tied to EUSurvey, a platform used for public consultation and research. This is what made it so dangerous.
The Setup: Real Sender, Fake Intent
By creating an account on EUSurvey, attackers sent phishing emails that passed authentication checks (SPF, DKIM, and DMARC) all green. That gave them a front door past Microsoft 365 defenses and traditional secure email gateways.
The email looked clean. Too clean.
At the top: a short message referencing “INV REMIT,” a term tied to invoice payments, just enough to draw attention. Hidden in this message was a polymorphic hyperlink. Every email had its own unique link, making it tough for filters to flag or block.
Clicking it led to a fake verification page, a kind of decoy captcha, just a step between the email and the final phishing site. That’s how the attackers dodged link scanners. The phishing page wasn’t directly in the email, the user had to interact first. Most automated tools never got that far.
The Sleight of Hand: White Text and Visual Misdirection
This attack came in two parts. The top half of the email did the damage. The bottom half stayed clean. Legitimate content from EUSurvey was still there, just hidden. White text on a white background. Invisible unless highlighted.
The malefactors couldn’t change the formatting of all the content. A real EUSurvey link was still visible. That helped it pass casual inspection and fooled simpler security tools.
The dual structure served a purpose: confuse scanners, lower suspicion, and keep the email looking official.
The Goal: Steal Credentials, Not Just Clicks
At the end of the chain was a credential harvesting site. Users were asked to input login details under the guise of verification. Those sites have since been blocked. But the tactic remains.
This wasn’t a ‘mud against the wall’ campaign, it was precise and clever. It showed how threat actors are moving into new territory, using legitimate platforms like AppSheet, QuickBooks, Google Forms, and now EUSurvey to launch attacks that bypass traditional defenses.
What It Means
Polymorphic links. Payload smuggling. White-on-white deception. None of this on its own was groundbreaking. Yet used together, through a trusted EU platform, the result was a phishing email that looked cleaner than most corporate newsletters.
It’s part of a larger shift. Malicious actors are laundering malicious intent through legitimate services. Security tools need to see through the façade.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.