|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Inception Cyber Team have been reporting about a rising wave of in-the-wild phishing campaigns that increasingly abuse legitimate SaaS services to bypass traditional security controls. Following earlier abuse trends involving e-signature platforms like DocuSign and Adobe Sign, and popular form builders such as Jotform and hForm; we are now tracking a significant uptick in phishing actors exploiting SurveyMonkey, a widely used survey platform. Over the past few months, we have observed a steady surge in credential harvesting campaigns leveraging SurveyMonkey’s trusted infrastructure, evading detection with pristine sender reputations, valid DKIM signatures, and domain legitimacy.
|
Why this matters! SurveyMonkey is deeply integrated into procurement, HR, and customer-success workflows across Fortune 500 organizations. A single compromised survey invite can easily masquerade as a compliance check-in, a performance review, or a vendor assessment—tricking even vigilant employees. Left unaddressed, this abuse vector poses a serious threat to enterprise supply chains and internal systems. |
In this blog, we break down the anatomy of this evolving campaign, reveal subtle indicators often overlooked by mainstream detections, and offer concrete defensive strategies to stop these abuses at the root.
The misuse of SurveyMonkey for credential phishing is not a new phenomenon—it has been a recurring tactic among various threat actors since at least 2020. However, over the past few months, the Inception Cyber team has observed a significant resurgence in this technique, with a noticeable uptick in credential phishing attempts targeting our customers. This spike triggered a deeper investigation into how attackers are leveraging the SurveyMonkey platform in 2025 to orchestrate sophisticated phishing campaigns that are bypassing conventional email security controls.
In the latest wave of activity, attackers are deploying multiple email lures, with the most prominent being fake secure voicemail alerts. These emails inform the recipient that they’ve received a protected voice message and urge them to review it urgently. Other recurring themes include pending invoices, account statement notifications, and more. The goal of each is to create a sense of urgency and legitimacy, prompting users to click the embedded call-to-action (CTA) URL that leads directly to a hosted SurveyMonkey page.
Image: Example of themed phishing emails redirecting to SurveyMonkey
Phishers begin by registering free SurveyMonkey accounts using burner email addresses or domains—typically newly registered and short-lived. They craft surveys that align with the chosen lure, embedding malicious redirect links within seemingly harmless questions or confirmation prompts. Some common bait themes include:
Once the survey is built, attackers exploit SurveyMonkey’s built-in email invitation feature to distribute phishing emails. These emails are sent from legitimate subdomains like @surveymonkeyuser.com, allowing them to pass SPF, DKIM, and DMARC validation effortlessly—making them highly evasive for secure email gateways (SEGs). The Reply-To headers, however, often point to attacker-controlled burner domains, offering one of the few subtle forensic flags.
Image: InceptionCyber’s dashboard showcasing campaign hits
The SurveyMonkey pages themselves are designed to mirror the theme of the email lure and serve as stepping stones to the actual phishing payload. When a user clicks on the CTA within the survey, they are silently redirected to a phishing page hosted on Microsoft Forms or another trusted service. These pages are crafted to look like legitimate Office 365 login portals, often under the guise of verifying identity before accessing sensitive information.
Image: SurveyMonkey-hosted form acting as a redirector
Critically, these phishing pages are often fronted by CAPTCHA protection, ensuring automated crawlers or security scanners are blocked—while real users proceed unhindered. Once credentials are submitted, they are instantly harvested, allowing attackers access to enterprise email, documents, and other cloud services.
Static analysis of the URLs revealed that they are highly effective at evading detection, with nearly all URL scanning engines on VirusTotal failing to flag them as malicious.
Image: Virus-Total hits on URL
Inception Cyber’s NACETM INTENT-BASED THREAT PREVENTIONTM Platform , neutralized this attack by correlating header artifacts with semantic analysis in real time. Rather than relying on static URL or blocklists, NACETM applies semantic and thematic analysis to every message, extracting higher-order feature tags that remain stable even when the adversary rotates domains or payloads.
Key features included:
By fusing these features, NACETM produced a high‑confidence verdict and quarantined the email before it reached end‑users—demonstrating the value of contextual, multi‑layer analysis over single‑point IOC checks.
This campaign underscores the evolving sophistication of phishing tactics, where legitimate platforms like SurveyMonkey are repurposed to bypass traditional security filters and exploit user trust. By combining thematic deception with clean infrastructure, attackers effectively evade static defenses. However, approaches which leverage semantic, contextual analysis, offer a powerful countermeasure. Defenders must shift focus from surface-level IOCs to deeper, intent-based signals to stay ahead of these service abuse campaigns. Proactive detection, infrastructure profiling, and cross-layer analysis are no longer optional—they’re essential.
NACE™ is an INTENT-BASED THREAT PREVENTIONTM Platform, that does not depend on the final landing page for deriving its verdict. Instead, it leverages semantic and thematic analysis to understand the underlying intent of email. By analyzing the contextual relationships between intent, auxiliary signals from URLs, and SMTP headers, NACE™ proactively detects phishing attempts and malicious call-to-action vectors—often before users engage or the payload is delivered.
Learn more about how NACETM protects against phishing and malicious URLS, whether created by human threat actors or powered by AI, here.