Cyber attackers responsible for the operation are using contact forms published on legitimate websites to deliver IcedID malware to organizations via emails with fake legal threats.

The emails attempt to manipulate recipients into clicking a link to review supposed evidence behind their allegations, but instead, they download the IcedID malware infection.

First discovered in 2017, IcedID is a modular banking trojan that was updated to deploy second-stage malware payloads, including Trickbot, Qakbot, and Ryuk ransomware. After infecting a device, it can be used to download additional modules, steal credentials and financial information, and move across the victims’ networks to deploy more payloads and infect more computers.

Detected by Microsoft’s 365 Defender Threat Intelligence Team, this phishing campaign seems to have found a way to bypass contact forms’ CAPTCHA protection to flood organizations with fraudulent messages.

Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this threat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to sign in with their Google credentials.
The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration, and can lead to additional malware payloads, including ransomware.


Since they were sent from trusted email marketing systems, the malicious emails arrive in the recipient’s inbox from the contact form query. The messages are originating from the recipient’s own contact form on their website, which means that they appear as sent by an actual customer interaction or inquiry.

With this phishing method, attackers can outflank the targeted organization’s secure email gateways, significantly increasing the chances of these messages landing in the user’s inbox instead of getting flagged and sent to the spam folder.

IcedID malware contact form

Source: Microsoft.com

To pressure them into clicking embedded links, the hackers threaten their targets with legal action for copyright infringements and later directing them to IcedID payloads. Upon reviewing the attackers’ “evidence”, recipients are redirected to a sites.google.com page used to deliver the IcedID malware.

The targets are then asked to log in using their Google credentials to see the content. After logging, an archive containing a heavily obfuscated .js-based downloader is downloaded on their computers.

Ultimately, WScript and Powershell are launched to download the IcedID malware payload and a Cobalt Strike beacon on the compromised device.

In case the sites.google.com page is not available, attackers implemented a secondary attack chain, redirecting users to a .top domain, while unintentionally accessing a Google User Content page, which downloads the malicious .ZIP file.

IcedID malware attack chain

Source: Microsoft.com

This threat shows attackers are always on the hunt for attack paths for infiltrating networks, and they often target services exposed to the internet. Organizations must ensure they have protections against such threats.


Since the infrastructure of the Emotet botnet has been taken down back in January, IcedID malicious activity has increased, filling the gap left behind by Emotet.

Emotet Malware Over the Years: The History of an Infamous Cyber-Threat

New Microsoft Phishing Campaign Targets Office365 Users

Emotet and Trickbot Banking Trojans Acquire Internet Worm Capabilities

Leave a Reply

Your email address will not be published. Required fields are marked *