Expert Reaction On Office 365 Users Targeted In SurveyMonkey Phishing Attack

By   ISBuzz Team
Writer , Information Security Buzz | Jul 09, 2020 05:51 am PST

Researchers at Abnormal Security have uncovered attempts to steal Office 365 user credentials on the pretext of conducting surveys among employees. In the campaign, the victim receives an email from a genuine SurveyMonkey site, but the message contains a hidden link, which upon clicking, redirects the victim to a Microsoft form submission page. The user has to submit their Office 365 email and password to proceed. This way, the malicious actors steal the unsuspecting user’s Microsoft account security credentials.

The email is sent from a real SurveyMonkey domain (, but with a different reply-to domain. That reply-to domain was registered only 1 month ago. The email simulates an automated notification with a link to open the “survey”. This link is an actual SurveyMonkey link that redirects to the main phishing page. It appears that these spear phishing attacks have a high probability of success due to various factors, including the use of a trusted domain. Likewise, concealing the redirect link makes it a little difficult for the target to suspect anything. Abnormal Security points out that up to 50,000 mailboxes may have received the SurveyMonkey phishing link.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
David Pickett
David Pickett , Senior Cybersecurity Analyst
July 9, 2020 1:56 pm

Credential phishing using legitimate survey forms is a favourite attack vector by quite a few different groups over the past two years. We track these “living off the land” attacks and have found that the most often abused legitimate forms/survey providers in order from greatest to least volume are Google, Microsoft, Survey Gizmo, and HubSpot. Historically speaking, the attackers directly solicited credentials on the legitimate forms themselves as we previously mentioned in this article last year. However, as pictured by Abnormal Security, there has definitely been a trend over the past few months to utilize an intermediary redirect/jump page which still uses the legitimate service provider to have the user click on to the credential harvesting site.

This tactic is used for a few reasons:

1. The most obvious being – these links are for legitimate services, this helps to defeat user awareness training for suspicious links.

2. Certain providers are becoming more effective at identifying this type of abuse on their site and removing the page faster.

3. It allows the attacker to quickly switch out phishing links in their email campaigns when the redirect site link is discovered and removed by the service. This allows the attacker to save time and resources from setting up a new credential harvesting site. They can setup their bots to identify when the site is removed and automatically change the link in their scripts for continuity in their phishing campaigns without any sending interruption.

Just for an idea on how pervasive living off the land attacks have become – during the past 24 hours, our advanced email threat protection filters have stopped over 88,000 messages abusing the legitimate services. If we look back at the past week the total count is approximately 590,000 messages.

Last edited 3 years ago by David Pickett

Recent Posts

Would love your thoughts, please comment.x