Expert Reaction On Office 365 Users Targeted In SurveyMonkey Phishing Attack

Researchers at Abnormal Security have uncovered attempts to steal Office 365 user credentials on the pretext of conducting surveys among employees. In the campaign, the victim receives an email from a genuine SurveyMonkey site, but the message contains a hidden link, which upon clicking, redirects the victim to a Microsoft form submission page. The user has to submit their Office 365 email and password to proceed. This way, the malicious actors steal the unsuspecting user’s Microsoft account security credentials.

The email is sent from a real SurveyMonkey domain (, but with a different reply-to domain. That reply-to domain was registered only 1 month ago. The email simulates an automated notification with a link to open the “survey”. This link is an actual SurveyMonkey link that redirects to the main phishing page. It appears that these spear phishing attacks have a high probability of success due to various factors, including the use of a trusted domain. Likewise, concealing the redirect link makes it a little difficult for the target to suspect anything. Abnormal Security points out that up to 50,000 mailboxes may have received the SurveyMonkey phishing link.

David Pickett, Senior Cybersecurity Analyst,  ZIX
July 09, 2020
The most obvious being - these links are for legitimate services, this helps to defeat user awareness training for suspicious links.
Credential phishing using legitimate survey forms is a favourite attack vector by quite a few different groups over the past two years. We track these “living off the land” attacks and have found that the most often abused legitimate forms/survey providers in order from greatest to least volume are Google, Microsoft, Survey Gizmo, and HubSpot. Historically speaking, the attackers directly soli ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments

In this article