Researchers at Microsoft have alerted the Google security team to a new attack they have witnessed involving legitimate contact forms from companies and Google URLs. The attackers will use the contact forms from companies’ websites to make contact with employees, avoiding email filters because the emails are coming from the company and are what employees would expect to see when someone requests information about a company through a contact form. The contact form will be submitted by the threat actor with information that pressures the receiving employee to act urgently. The email will also include a legitimate Google URL that the employee will be asked to visit to investigate the urgent claim. When the URL is accessed, a .ZIP file with a JavaScript file is download, which in turn downloads the IcedID banking trojan as a .DAT file. IcedID eventually delivers Cobalt Strike Beacon, which allows the attacker to control the infected device remotely over the internet.
Analyst Notes
This attack is highly evasive since the email to employees originates from the company’s own email account used to send contact form responses. Companies should train employees who handle the emails from the contact forms on how to spot these attacks and instruct employees to have someone review the emails that seem malicious before they are interacted with. Utilizing a monitoring service such as Binary Defenses Managed Detection and Response to monitor endpoints and look for abnormal activity can stop attacks quickly, even if employees are tricked into downloading and opening a malicious file.
More can be read here: https://www.zdnet.com/article/criminals-spread-malware-using-website-contact-forms-with-google-urls/
