While this specific campaign delivers the IcedID malware, the delivery method can be used to distribute a wide range of other malware, which can in turn introduce other threats to the enterprise. IcedID itself is a banking trojan that has evolved to become an entry point for more sophisticated threats, including human-operated ransomware. It connects to a command-and-control server and downloads additional implants and tools that allow attackers to perform hands-on-keyboard attacks, steal credentials, and move laterally across affected networks to delivering additional payloads.<\/p>\n
We continue to actively investigate this threat and work with partners to ensure that customers are protected. We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs.<\/p>\n
Microsoft 365 Defender<\/a> defends organizations by using advanced technologies informed by Microsoft Defender for Office 365<\/a> and backed by security experts. Microsoft 365 Defender correlates signals on malicious emails, URLs, and files to deliver coordinated defense against evasive threats, their payloads, and their spread across networks.<\/p>\n Microsoft Defender for Office 365 supports organizations throughout an attack\u2019s lifecycle, from prevention and detection to investigation, hunting, and remediation\u2013effectively protecting users through a coordinated defense framework.<\/p>\n Websites typically contain contact form pages as a way to allow site visitors to communicate with site owners, removing the necessity to reveal their email address to potential spammers.<\/p>\n However, in this campaign, we observed an influx of contact form emails targeted at enterprises by means of abusing companies\u2019 contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections.<\/p>\n Figure 1. Sample contact form that attackers take advantage of by filling in malicious content, which gets delivered to the target enterprises<\/em><\/p>\n In this campaign, we tracked that the malicious email that arrives in the recipient\u2019s inbox from the contact form query appears trustworthy as it was sent from trusted email marketing systems, further confirming its legitimacy while evading detection. As the emails are originating from the recipient\u2019s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry.<\/p>\n As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (\u201cDownload it right now and check this out for yourself\u201d), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.<\/p>\n Figure 2. A sample email delivered via contact forms that contain malicious content added by attackers<\/em><\/p>\n Along with the fake legal threats written in the comments, the message content also includes a link to a sites.google.com<\/em> page to view the alleged stolen photos for the recipient to view.<\/p>\n Clicking the link brings the recipient to a Google page that requires them to sign in with their Google credentials. Because of this added authentication layer, detection technologies may fail in identifying the email as malicious altogether.<\/p>\n After the email recipient signs in, the sites.google.com<\/em> page automatically downloads a malicious ZIP file, which contains a heavily obfuscated .js file. The malicious .js file is executed via WScript to create a shell object for launching PowerShell to download the IcedID payload (a .dat file), which is decrypted by a dropped DLL loader, as well as a Cobalt Strike beacon in the form of a stageless DLL, allowing attackers to remotely control the compromised device.<\/p>\n The downloaded .dat file loads via the rundll32 executable. The rundll32 executable then launches numerous commands related to the following info-stealing capabilities:<\/p>\n The diagram in Figure 3 provides a broad illustration of how attackers carry out these malicious email campaigns, starting from identifying their targets\u2019 contact forms and ending with the IcedID malware payload.<\/p>\n Figure 3. Contact form attack chain results in the IcedID payload<\/em><\/p>\n We noted a primary and secondary attack chain under the execution and persistence stages. The primary attack chain follows an attack flow from downloading malicious .zip file from the sites.google.com<\/em> link, all the way to the IcedID payload. The secondary attack chain, on the other hand, appears to be a backup attack flow for when the sites.google.com<\/em> page in the primary attack chain has already been taken down.<\/p>\n In the secondary chain, users are redirected to a .top domain, while inadvertently accessing a Google User Content page, which downloads the malicious .ZIP file. Further analysis reveals that the forms contain malicious sites.google.com<\/em> links that download the IcedID malware.<\/p>\n When run, IcedID connects to a command-and-control server to download modules that run its primary function of capturing and exfiltrating banking credentials and other information. It achieves persistence via schedule tasks. It also downloads implants like Cobalt Strike and other tools, which allow remote attackers to run malicious activities on the compromised system, including collecting additional credentials, moving laterally, and delivering secondary payloads.<\/p>\n This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering email to inboxes, thereby allowing for \u201csafe\u201d emails that would otherwise be filtered out into spam folders.<\/p>\n In the samples we found, attackers used legal threats as a scare tactic while claiming that the recipients allegedly used their images or illustrations without their consent, and that legal action will be taken against them. There is also a heightened sense of urgency in the email wording, with phrases such as \u201cyou could be sued,\u201d and \u201cit\u2019s not legal.\u201d It\u2019s a sly and devious approach since everything else about this email is authentic and legitimate.<\/p>\n We observed more emails sent by attackers on other contact forms that contain similar wording around legal threats. The messages consistently mention a copyright claim lure by a photographer, illustrator, or designer with the same urgency to click the sites.google.com<\/em> link.<\/p>\n Figure 4. Samples of contact form emails that use the photographer copyright lure with a sites.gooogle.com link<\/em><\/p>\n In a typical contact form, users are required to input their name, email address, and a message or comment. In the samples we obtained, attackers used fake names that start with \u201cMel,\u201d such as \u201cMelanie\u201d or \u201cMeleena,\u201d and used a standard format for their fake email addresses that include a portion of their fake name + words associated photography + three numbers. Some examples include:<\/p>\n As this research shows, adversaries remain motivated to find new ways to deliver malicious email to enterprises with the clear intent to evade detection. The scenarios we observed offer a serious glimpse into how sophisticated attackers\u2019 techniques have grown, while maintaining the goal of delivering dangerous malware payloads such as IcedID. Their use of submission forms is notable because the emails don\u2019t have the typical marks of malicious messages and are seemingly legitimate.<\/p>\n To protect customers from this highly evasive campaign, Microsoft Defender for Office 365<\/a> inspects the email body and URL for known patterns. Defender for Office 365 enables this by leveraging its deep visibility into email threats and advanced detection technologies powered by AI and machine learning, backed by Microsoft experts who constantly monitor the threat landscape for new attacker tools and techniques. Expert monitoring is especially critical in detecting this campaign given the delivery method and the nature of the malicious emails.<\/p>\n In addition, the protection delivered by Microsoft Defender for Office 365 is enriched by signals from other Microsoft 365 Defender services, which detect other components of this attack. For example, Microsoft Defender for Endpoint detects the IcedID payload and surfaces this intelligence across Microsoft 365 Defender. With its cross-domain optics, Microsoft 365 Defender correlates threat data on files, URLs, and emails to provide end-to-end visibility into attack chains. This allows us to trace detections of malware and malicious behavior to the delivery method, in this case, legitimate-looking emails, enabling us to build comprehensive and durable protections, even as attackers continue to tweak their campaigns to further evade detection.<\/p>\n By running custom queries using advanced hunting in Microsoft 365 Defender, customers can proactively locate threats related to this attack.<\/p>\n To locate emails that may be related to this activity, run the following query:<\/a><\/p>\n To find malicious downloads associated with this threat, run the following query:<\/a><\/p>\n As this attack abuses legitimate services, it\u2019s also important for customers to review mail flow rules<\/a> to check for broad exceptions, such those related to IP ranges and domain-level allow lists, that may be letting these emails through.<\/p>\n We also encourage customers to continuously build organizational resilience against email threats by educating users about identifying social engineering attacks and preventing malware infection. Use Attack simulation training<\/a> in Microsoft Defender for Office 365 to run attack scenarios, increase user awareness, and empower employees to recognize and report these attacks.<\/p>\n![](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/04\/Fig1-sample-contact-form.png\")
<\/p>\n![](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/04\/Figure-2_contactform_new.png\")
<\/p>\n\n
![](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/04\/Fig3-attack-chain.png\")
<\/p>\n![](\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/04\/Fig4-sample-emails.png\")
<\/p>\n\n
EmailUrlInfo
| where Url matches regex @\"\\bsites\\.google\\.com\\\/view\\\/(?:id)?\\d{9,}\\b\"
| join EmailEvents on NetworkMessageId
\/\/ Note: Replace the following subject lines with the one generated by your website's Contact submission form if no results return initially
| where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission')<\/code><\/p>\nDeviceFileEvents
| where InitiatingProcessFileName in~(\"msedge.exe\", \"chrome.exe\", \"explorer.exe\", \"7zFM.exe\", \"firefox.exe\", \"browser_broker.exe\")
| where FileOriginReferrerUrl has \".php\" and FileOriginReferrerUrl has \".top\" and FileOriginUrl has_any(\"googleusercontent\", \"google\", \"docs\")<\/code><\/p>\n