Phishing Emails from SurveyMonkey

According to an article at https://www.infosecurity-magazine.com,  Abnormal Security recently discovered a new phishing campaign using malicious emails from a legitimate SurveyMonkey domain. A malicious actor is using this legitimate domain because it allows them to bypass most security filters. 

Even though these emails are sent from the actual SurveyMonkey domain, the reply-to address is in a different domain. Within the email there is a hidden URL that appears as the text ‘Navigate to access statement’ with a message ‘Please do not forward this email as its survey link is unique to you.’”

Clicking on the link will redirect the user to a form asking for their Office 365 credentials such as email address and password. If the user’s information is entered into this malicious site, then the user’s account will be compromised.

The article states that the reason this attack is so effective is due to the use of a legitimate email sender, as well as concealing the malicious site URL and the description of the email being “unique” to every user.

If you do receive any email that you suspect is a scam, please do not click on any URL or reply. Either of those actions confirms to the sender that your email address is valid. Please forward the message (with the email headers) to security@umbc.edu and delete the message.

How do I forward full email headers?

https://wiki.umbc.edu/pages/viewpage.action?pageId=1867970

For more information, please check out: 

https://www.infosecurity-magazine.com/news/surveymonkey-phishers-office-365/

https://abnormalsecurity.com/blog/abnormal-attack-stories-phishing-through-surveymonkey/

To read more articles published by DOIT visit: 

https://itsecurity.umbc.edu/critical/?tag=notice.