Microsoft has warned of a new campaign utilizing legitimate website contact forms to target victims with URLs that ultimately deliver a banking Trojan. The attack campaign is delivering the IcedID banking Trojan to businesses via emails containing fake legal threats, creating a sense of urgency and luring victims into clicking malicious links. The campaign consists of attackers targeting businesses by abusing their legitimate corporate contact forms. The campaign has been observed to bypass CAPTCHA protection.
The contact form submission then leads to a malicious email being delivered into the recipient’s mailbox, which appears legitimate due to the fact that it originates from the same email marketing system typically used to spread information to the company employees. The attackers included a legitimate Google URL into the phishing campaign, bringing the reader to a Google page that requires logging in with Google credentials. However, a malicious ZIP file is downloaded instead.
Read More: Microsoft Warns of Malware Delivery via Google URLs