The company website ‘contact us’ forms are used by criminals to reach workers who receive contact requests from the public.
The crooks use these contact forms to send employees legitimate Google URLs that require users to sign in with their Google username and password.
Microsoft 365 Defender Threat Intelligence Team considered the threat serious as the attackers are using legitimate Google URLs to deliver malware. The Google URLs are helpful as it bypasses email security filters. The attackers have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human.
Microsoft is concerned by the technique used and has currently detected the criminals using the URLs in email to deliver IcedID malware. But it could be used to transmit other malware as well.
IcedID is a banking trojan and information stealer and can be used as an entry point for attacks, such as manually operated ransomware for high-value targets. Human-operated ransomware attacks are common and in this case the attacker has to just sit at the keyboard and organized the attack, in contrast to an automated attack.
Microsoft has already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs.
“We observed an influx of contact form emails targeted at enterprises by means of abusing
The companies’ contact forms are abused which indicates that the threat actors might have used a tool that automates this process while circumventing CAPTCHA protections. It is difficult to detect as the email arrives to employees from their own contact form and email marketing systems.
The attackers send emails that tempt the employee to respond and the email contains a link to a sites.google.com page.