Microsoft warned businesses of cybercriminals targeting employees by sending them phishing emails from their website contact forms.
Upon opening the link and entering their login details, victims unknowingly download a zip package with the IcedID info-stealing banking trojan.
This is a new trend that has recently started in which attackers target employees who are responsible for dealing with public requests. Attackers send legitimate Google URLs – in this case, a link to sites.google.com – that require employees to sign in with their Google credentials. Victims are urged to view images that are supposedly infringing the copyright.
“We observed an influx of contact form emails targeted at enterprises by means of abusing companies’ contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections,” the company said.
The sites.google.com page automatically downloads a ZIP file with a JavaScript file and then IcedID malware. It also downloads Cobalt Strike that allows the attackers to remotely control the device.
Microsoft is rather concerned by the technique and calls these attacks “highly evasive” because attackers are abusing legitimate infrastructure – website contact forms. And by using Google URLs attackers can bypass email security filters. Researchers say attackers can probably bypass CAPTCHA challenges, too.
This is a tricky attack to detect since phishing emails arrive from the company’s own contact form and email systems.
“As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry,” Microsoft notes.
IcedID is a banking trojan and information stealer that can be used to carry out subsequent attacks, such as human-operated ransomware. This type of ransomware attack is increasingly common and requires the attacker to manually orchestrate the attack.
Instead of IcedID, it could just as easily be some other malware.
Microsoft has reported the campaign to Google’s security teams.
“We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs,” Microsoft said.
