Lead Researchers: James Dyer and Louis Tiley
Between Could 5 and Could 7, 2025, KnowBe4 Risk Lab recognized a phishing marketing campaign originating from accounts created on the legit service ‘EUSurvey’.
Though this was a centered marketing campaign, on a smaller-scale to others recognized by the group, it employed a mixture of refined strategies value highlighting.
This assault demonstrates how phishing emails that seem to originate from official our bodies, such because the EU, can create a false sense of recipient belief. This perceived legitimacy not solely lowers the recipient’s guard but in addition will increase the chance of interplay.
EUSurvey Assault Overview
All assaults in these campaigns had been recognized and neutralized by KnowBe4 Defend and analyzed by our Risk Labs group.
Vector and sort: E mail phishing
Main strategies: Social engineering, polymorphic hyperlinks and payloads smuggling
Targets: International
Platform: Microsoft 365
Bypassed native and SEG detection: Sure
EUSurvey is a legit platform that enables each EU and non-EU establishments to simply create and personalize surveys. On this marketing campaign, the attacker(s) embedded a malicious payload inside a survey notification e-mail. As a result of the e-mail originated from a legit area, it was capable of bypass commonplace e-mail authentication protocols similar to SPF, DKIM, and DMARC as defined under.
Utilizing polymorphic hyperlinks to obfuscate the payload, the recipient is directed to a credential harvesting web site, the place attackers try to steal their login credentials and achieve unauthorized entry to delicate programs or information.
EUSurvey Phishing Assault Instance: A Phishing E mail in Two Halves
First Half: The Malicious Polymorphic Payload
As famous, cybercriminals created an account on EUSurvey, which enabled them to ship their phishing e-mail utilizing the legit area ‘EU-EUSURVEY@nomail.ec.europa.eu’. This allowed the assault to bypass conventional e-mail authentication protocols like SPF, DKIM, and DMARC, as these protocols primarily confirm the sender’s authorization and the e-mail’s integrity in transit.
As a result of the e-mail originated from a legitimately licensed server and wasn’t altered throughout supply, these checks handed, making it simpler for the assault to evade preliminary detection by native safety and safe e-mail gateways (SEGs). Whereas the legit service’s excessive area fame may need additional contributed to the e-mail’s bypass of conventional detection programs, it is vital to notice that area fame is not a direct part of those conventional authentication protocols themselves.
Within the screenshot under, you possibly can see the highest half of the phishing e-mail—that is the malicious portion, the place the attacker has smuggled in a polymorphic hyperlink. As a result of every e-mail accommodates a singular URL, this polymorphic design makes the assault considerably more durable for conventional safety options, similar to SEGs, to detect. SEGs sometimes depend on fame and signature-based detection, which depend upon figuring out recognized malicious hyperlinks listed on blocklists. Nevertheless, with polymorphic hyperlinks, blocking one URL has little impact, as a brand new, distinctive hyperlink is used within the subsequent e-mail.
Screenshot of the EUSurvey phishing e-mail with KnowBe4 Defend anti-phishing banners utilized
The attacker makes use of social engineering by referencing “INV REMIT,” within the physique of the e-mail—a time period generally related to “bill remittance,” to recommend the e-mail is monetary in nature. By encouraging the recipient to click on the hyperlink to view the main points of this supposed remittance, the attacker will increase the chance of engagement since messages involving funds or monetary paperwork are inclined to immediate faster consideration and motion—particularly in the event that they appear like they’re from an EU establishment.
Second Half: The Hidden Professional Physique Textual content
Nevertheless, there’s a second half to the assault. As this payload has been smuggled via a legit service, the unique textual content nonetheless exists inside the e-mail—it has simply been colored white towards a white background. The subsequent screenshot reveals what the recipient would see in the event that they had been to scroll down (on the left) versus what they might see in the event that they scrolled down and highlighted the white house (on the fitting).
Aspect-by-side screenshots of the legit a part of the phishing e-mail with hidden white textual content and bonafide EUSurvey hyperlink
The attacker altered the textual content colour to make among the legit content material much less seen at first look. This tactic reduces the chance that recipients would discover a number of survey invites or hyperlinks which might increase suspicion.
Nevertheless, they had been unable to vary the colour of the legit EUSurvey hyperlink, as it’s formatted as a normal hyperlink and stays clearly seen. This hyperlink results in a primary suggestions survey, which may help the phishing e-mail bypass conventional detection instruments, as much less refined hyperlink scanners could solely detect the benign survey hyperlink and classify the message as non-malicious.
Screenshot of the legit EUsurvey web site linked within the second half of the phishing e-mail
The Second Step of the Assault: Verification and Credential Harvesting to Bypass Hyperlink Scanning Know-how
If the recipient clicks on the malicious hyperlink on the high of the e-mail, they’re taken to a pretend verification web page. Functioning like a pseudo-captcha, this middleman step is designed to obscure the ultimate vacation spot from hyperlink scanning instruments. By requiring person interplay, it prevents many detection instruments from reaching the precise credential harvesting web site, which means it’s much less more likely to be flagged as suspicious.
The final word aim of the assault was to reap credentials. Recipients had been directed to a malicious web site and inspired to enter their particulars. These credential harvesting websites have since been blocked to forestall additional compromise.
Screenshot of the pretend verification web site the place the recipient must enter a code
Detecting Superior Phishing Threats
Whereas this wasn’t essentially the most widespread assault, with clear flaws—as a result of lack of ability to completely masks the unique legit hyperlink—using a revered web site affiliated with the EU reveals how cybercriminals are pivoting their assaults throughout legit platforms. This assault additionally matches right into a rising development the place risk actors ship phishing emails via legit companies similar to AppSheet, Microsoft, Google, QuickBooks, and Telegram.
Mixed with polymorphic hyperlinks and payload smuggling, this marketing campaign demonstrates a reasonably refined method designed to bypass detection applied sciences generally utilized in Microsoft 365 and safe e-mail gateways (SEGs). Consequently, many organizations are turning to Built-in Cloud E mail Safety merchandise (similar to KnowBe4 Defend) that leverage AI to detect superior phishing threats and forestall workers from interacting with malicious hyperlinks and attachments. Moreover, threat-based consciousness and coaching, together with flipping actual phishing emails into coaching simulations (e.g. through KnowBe4 PhishER), educates workers on the phishing assaults they’re almost certainly to face.
