Threat Research

The Role of Fake Surveys in Phishing Scams

Securonix

A mid-year engagement survey was spoofed to harvest Microsoft Office 365 credentials by forcing recipients through a fake identity verification page and a Microsoft login spoof, using urgency and HR impersonation to lower guard. Indicators include unusual URLs, Wufoo-hosted forms, and requests for personal information in supposedly anonymous surveys. #CofensePhishingDefenseCenter #Office365 #Wufoo #MidYearEngagementSurvey

Keypoints

  • The phishing campaign impersonates a legitimate HR department to appear credible.
  • Recipients are pressured to comply with a mandatory “engagement survey.”
  • The phishing email contains a button that redirects to a fake identity verification page.
  • The final page mimics a Microsoft login page, but the URL is suspicious.
  • Indicators of compromise include unusual URLs and requests for personal information in supposedly anonymous surveys.
  • The identity verification and survey flow use Wufoo hosting and lack company branding, signaling deception.

MITRE Techniques

  • [T1566] Phishing – Threat actors send emails disguised as legitimate surveys to harvest credentials. “Threat actors send emails disguised as legitimate surveys to harvest credentials.”
  • [T1003] Credential Dumping – Harvesting Microsoft Office 365 credentials through deceptive means. “Harvesting Microsoft Office 365 credentials through deceptive means.”
  • [T1071] Impersonation – Using spoofed emails to impersonate HR departments. “Using spoofed emails to impersonate HR departments.”

Indicators of Compromise

  • [URL] context – suspicious links used in emails and landing pages, including Wufoo form hosting and credential-harvesting pages: hXXps://clt1703532[.]benchurl[.]com/c/l?u=1166D7BF&e=1877A0D&c=19FE6C&t=0&l=107C607F3&email=Ig8jAI8P3kHmjaKJTGnXrasuurYxDJrgWHs61jVkWo4%3D&seq=1, and hXXps://hresign[.]wufoo[.]com/forms/m1ox5s7s02wbc10/?utm_source=BenchmarkEmail&utm_campaign=August_6_Newsletter&utm_medium=email
  • [IP] context – several observed IPs linked to the campaign infrastructure: 54.203.170.138, 52.40.74.216, 34.208.45.249, and 52.11.53.118
  • [Domain] context – final credential page hosted on niiansesnet0[.]cfd used in the spoofed login flow
  • [IP] context – additional observed infrastructure IPs: 108.138.85.8, 108.138.85.5, 108.138.85.59, 108.138.85.106
  • [IP] context – additional infrastructure IP: 172.67.207.227 and 104.21.22.247

Read more: https://cofense.com/blog/mid-year-engagement-trap-how-fake-surveys-are-used-in-phishing