Living Off The Land - Forms & Survey Abuse

Blog

Living Off The Land - Forms & Survey Abuse

David Pickett

DHL Spoof Abusing Google Forms

During July of 2019, we detailed how attackers were abusing Microsoft Office Excel & Forms Online Surveys to host credential harvesting sites on the service without the need for an external phishing site. 

That was on Microsoft's radar and nearly the same time Microsoft had added increased automation for phishing detection to their roadmap.

Since then, attackers have increasingly warmed up to the idea of launching Living Off the Land (LOtL) attacks by abusing a variety of legitimate form and survey providers.

 

Top Abused Providers & Metrics

Metrics derived from our advanced email protection filters for these LOtL attacks indicate they have only increased over time. Currently, the highest volume of blocked messages abusing the legitimate providers in order from greatest to least volume are:

  1. Google Forms
  2. Microsoft Forms 
  3. SurveyGizmo Surveys
  4. HubSpot Forms 

Just for an idea on how pervasive living off the land attacks have become, in the past 24 hours our advanced email threat protection filters have stopped over 88,000 messages abusing legitimate services. If we look back at the past week, the total count is approximately 590,000 messages.

 

A Growing Trend to Intermediary Redirect/Jump Pages

While not a new tactic, there has been a growing trend by these attackers over the past months to utilize an intermediary redirect/jump page before the credential harvesting page. These threat actors still rely upon the legitimate provider for the initial link, but then attempts to either automatically redirect or trick the user into manually clicking onward to the page designed to solicit and steal user credentials. 

This tactic is used for a variety of reasons:

  • The most obvious - these links are for legitimate services, this helps to defeat user awareness training when looking for suspicious links.
  • Certain providers are becoming more effective at identifying this type of abuse on their site and removing the page faster.
  • Allows the attacker to autonomously switch phishing links in their email campaigns once the intermediary site is discovered and removed by the service. This allows the attacker to save time and resources from having to set up a new credential harvesting site. They can direct a bot to identify when the site is removed. Once removed, they automatically change the link in the sending scripts for continuity in the phishing campaigns to ensure continuity of the attack with little to no downtime.

DHL Spoofing Email Abusing Google Dynamic Link to Forms

DHL Spoofing Abuses Google Form Links

 

Contact us today for a trial of our Advanced Email Threat Protection to secure your business!