While Microsoft has issued a warning about new IcedID malware attack campaign that abuses website's contact forms published to deliver malicious links to business organizations via emails with fake legal threats, thus abusing legitimate system to carry out evasive campaigns that bypass security protections.
And once a system is infected, the malware deploys additional payloads such as ransomware that are capable of moving across the affected networks to performing hands-on-keyboard attacks and stealing of credentials.
How Hackers are using Website's Contact Forms to deliver IcedID Malware?
Typically, a website's contact form allows the site visitors to communicate with site owners, by removing the necessity of having to reveal their email address which could be used by potential spammers.
The IcedID malware campaign has resulted an influx of contact form emails targeted at businesses by means of abusing companies’ website contact forms. The attackers may have used a tool that automates the process by circumventing CAPTCHA protections, as the malicious email arrives in the recipient’s inbox from the contact form as if it was sent from trusted email marketing systems, which seemingly legitimacy helps it to evade detection.
The message is generated by filling out and submitting the web-based form to the associated contact form recipient or targeted enterprise, the attacker-generated message uses strong and urgent language and pressures the recipient to act immediately, compelling the recipients to click on the links to avoid a supposed legal action.
Besides the fake legal threats written in the comments, the message also includes a link to a page on sites.google.com for the recipient to view alleged stolen photos.
And with the sense of urgency, the victim is bound to click on the link or open the malicious file, and this infection chain, which is simply a link to a sites.google.com page, requires that users sign in with their Google credentials, before a ZIP archive file is automatically downloaded to the system.
How to Mitigate against such sophisticated phishing attacks
The above scenarios offer a glimpse into how sophisticated attackers’ techniques have grown; and the goal of delivering dangerous malware payloads such as IcedID.
Therefore, for such highly evasive campaign, users are advised to ensure that their system is running Microsoft Defender for Office 365 which inspects the email body and URL for known patterns. The Defender for Office 365 leverages its deep visibility into email threats and advanced detection technologies powered by AI and machine learning, backed by Microsoft's constantly monitor of the threat landscape for new attacker tools and techniques.