{
	"id": "6cbb4e34-584d-4ab2-b070-ff01df509839",
	"created_at": "2026-04-10T03:20:24.125655Z",
	"updated_at": "2026-04-10T03:22:17.071099Z",
	"deleted_at": null,
	"sha1_hash": "4cb348c40682bb1823bd537a62ee64666be9602f",
	"title": "Investigating a unique “form” of email delivery for IcedID malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 544208,
	"plain_text": "Investigating a unique “form” of email delivery for IcedID malware\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-04-09 · Archived: 2026-04-10 03:13:53 UTC\r\nMicrosoft threat analysts have been tracking activity where contact forms published on websites are abused to deliver\r\nmalicious links to enterprises using emails with fake legal threats. The emails instruct recipients to click a link to review\r\nsupposed evidence behind their allegations, but are instead led to the download of IcedID, an info-stealing malware.\r\nMicrosoft Defender for Office 365 detects and blocks these emails and protects organizations from this threat.\r\nIn this blog, we showcase our analysis on this unique attack and how the techniques behind it help attackers with their\r\nmalicious goals of finding new ways to infect systems. This threat is notable because:\r\n1. Attackers are abusing legitimate infrastructure, such as websites’ contact forms, to bypass protections, making this\r\nthreat highly evasive. In addition, attackers use legitimate URLs, in this case Google URLs that require targets to\r\nsign in with their Google credentials.\r\n2. The emails are being used to deliver the IcedID malware, which can be used for reconnaissance and data exfiltration,\r\nand can lead to additional malware payloads, including ransomware.\r\n3. This threat shows attackers are always on the hunt for attack paths for infiltrating networks, and they often target\r\nservices exposed to the internet. Organizations must ensure they have protections against such threats.\r\nWhile this specific campaign delivers the IcedID malware, the delivery method can be used to distribute a wide range of\r\nother malware, which can in turn introduce other threats to the enterprise. IcedID itself is a banking trojan that has evolved\r\nto become an entry point for more sophisticated threats, including human-operated ransomware. It connects to a command-and-control server and downloads additional implants and tools that allow attackers to perform hands-on-keyboard attacks,\r\nsteal credentials, and move laterally across affected networks to delivering additional payloads.\r\nWe continue to actively investigate this threat and work with partners to ensure that customers are protected. We have\r\nalready alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs.\r\nMicrosoft 365 Defender defends organizations by using advanced technologies informed by Microsoft Defender for Office\r\n365 and backed by security experts. Microsoft 365 Defender correlates signals on malicious emails, URLs, and files to\r\ndeliver coordinated defense against evasive threats, their payloads, and their spread across networks.\r\nMicrosoft Defender for Office 365 supports organizations throughout an attack’s lifecycle, from prevention and detection to\r\ninvestigation, hunting, and remediation–effectively protecting users through a coordinated defense framework.\r\nTracking malicious content in contact forms\r\nWebsites typically contain contact form pages as a way to allow site visitors to communicate with site owners, removing the\r\nnecessity to reveal their email address to potential spammers.\r\nHowever, in this campaign, we observed an influx of contact form emails targeted at enterprises by means of abusing\r\ncompanies’ contact forms. This indicates that attackers may have used a tool that automates this process while\r\ncircumventing CAPTCHA protections.\r\nhttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/\r\nPage 1 of 6\n\nFigure 1. Sample contact form that attackers take advantage of by filling in malicious content, which gets delivered to the\r\ntarget enterprises\r\nIn this campaign, we tracked that the malicious email that arrives in the recipient’s inbox from the contact form query\r\nappears trustworthy as it was sent from trusted email marketing systems, further confirming its legitimacy while evading\r\ndetection. As the emails are originating from the recipient’s own contact form on their website, the email templates match\r\nwhat they would expect from an actual customer interaction or inquiry.\r\nAs attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient\r\nor targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download\r\nit right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling\r\nrecipients to click the links to avoid supposed legal action.\r\nhttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/\r\nPage 2 of 6\n\nFigure 2. A sample email delivered via contact forms that contain malicious content added by attackers\r\nAlong with the fake legal threats written in the comments, the message content also includes a link to a sites.google.com\r\npage to view the alleged stolen photos for the recipient to view.\r\nClicking the link brings the recipient to a Google page that requires them to sign in with their Google credentials. Because of\r\nthis added authentication layer, detection technologies may fail in identifying the email as malicious altogether.\r\nAfter the email recipient signs in, the sites.google.com page automatically downloads a malicious ZIP file, which contains a\r\nheavily obfuscated .js file. The malicious .js file is executed via WScript to create a shell object for launching PowerShell to\r\ndownload the IcedID payload (a .dat file), which is decrypted by a dropped DLL loader, as well as a Cobalt Strike beacon in\r\nthe form of a stageless DLL, allowing attackers to remotely control the compromised device.\r\nThe downloaded .dat file loads via the rundll32 executable. The rundll32 executable then launches numerous commands\r\nrelated to the following info-stealing capabilities:\r\nMachine discovery\r\nObtaining machine AV info\r\nGetting IP and system information\r\nDomain information\r\nDropping SQLite for accessing credentials stored in browser databases\r\nhttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/\r\nPage 3 of 6\n\nThe diagram in Figure 3 provides a broad illustration of how attackers carry out these malicious email campaigns, starting\r\nfrom identifying their targets’ contact forms and ending with the IcedID malware payload.\r\nFigure 3. Contact form attack chain results in the IcedID payload\r\nWe noted a primary and secondary attack chain under the execution and persistence stages. The primary attack chain follows\r\nan attack flow from downloading malicious .zip file from the sites.google.com link, all the way to the IcedID payload. The\r\nsecondary attack chain, on the other hand, appears to be a backup attack flow for when the sites.google.com page in the\r\nprimary attack chain has already been taken down.\r\nIn the secondary chain, users are redirected to a .top domain, while inadvertently accessing a Google User Content page,\r\nwhich downloads the malicious .ZIP file. Further analysis reveals that the forms contain malicious sites.google.com links\r\nthat download the IcedID malware.\r\nWhen run, IcedID connects to a command-and-control server to download modules that run its primary function of\r\ncapturing and exfiltrating banking credentials and other information. It achieves persistence via schedule tasks. It also\r\ndownloads implants like Cobalt Strike and other tools, which allow remote attackers to run malicious activities on the\r\ncompromised system, including collecting additional credentials, moving laterally, and delivering secondary payloads.\r\nThis campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content\r\nalso passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering\r\nemail to inboxes, thereby allowing for “safe” emails that would otherwise be filtered out into spam folders.\r\nIn the samples we found, attackers used legal threats as a scare tactic while claiming that the recipients allegedly used their\r\nimages or illustrations without their consent, and that legal action will be taken against them. There is also a heightened\r\nsense of urgency in the email wording, with phrases such as “you could be sued,” and “it’s not legal.” It’s a sly and devious\r\napproach since everything else about this email is authentic and legitimate.\r\nWe observed more emails sent by attackers on other contact forms that contain similar wording around legal threats. The\r\nmessages consistently mention a copyright claim lure by a photographer, illustrator, or designer with the same urgency to\r\nclick the sites.google.com link.\r\nFigure 4. Samples of contact form emails that use the photographer copyright lure with a sites.gooogle.com link\r\nIn a typical contact form, users are required to input their name, email address, and a message or comment. In the samples\r\nwe obtained, attackers used fake names that start with “Mel,” such as “Melanie” or “Meleena,” and used a standard format\r\nfor their fake email addresses that include a portion of their fake name + words associated photography + three numbers.\r\nSome examples include:\r\nhttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/\r\nPage 4 of 6\n\nmphotographer550@yahoo.com\r\nmephotographer890@hotmail.com\r\nmgallery487@yahoo.com\r\nmephoto224@hotmail.com\r\nmegallery736@aol.com\r\nmshot373@yahoo.com\r\nDefending against sophisticated attacks through coordinated defense\r\nAs this research shows, adversaries remain motivated to find new ways to deliver malicious email to enterprises with the\r\nclear intent to evade detection. The scenarios we observed offer a serious glimpse into how sophisticated attackers’\r\ntechniques have grown, while maintaining the goal of delivering dangerous malware payloads such as IcedID. Their use of\r\nsubmission forms is notable because the emails don’t have the typical marks of malicious messages and are seemingly\r\nlegitimate.\r\nTo protect customers from this highly evasive campaign, Microsoft Defender for Office 365 inspects the email body and\r\nURL for known patterns. Defender for Office 365 enables this by leveraging its deep visibility into email threats and\r\nadvanced detection technologies powered by AI and machine learning, backed by Microsoft experts who constantly monitor\r\nthe threat landscape for new attacker tools and techniques. Expert monitoring is especially critical in detecting this campaign\r\ngiven the delivery method and the nature of the malicious emails.\r\nIn addition, the protection delivered by Microsoft Defender for Office 365 is enriched by signals from other Microsoft 365\r\nDefender services, which detect other components of this attack. For example, Microsoft Defender for Endpoint detects the\r\nIcedID payload and surfaces this intelligence across Microsoft 365 Defender. With its cross-domain optics, Microsoft 365\r\nDefender correlates threat data on files, URLs, and emails to provide end-to-end visibility into attack chains. This allows us\r\nto trace detections of malware and malicious behavior to the delivery method, in this case, legitimate-looking emails,\r\nenabling us to build comprehensive and durable protections, even as attackers continue to tweak their campaigns to further\r\nevade detection.\r\nBy running custom queries using advanced hunting in Microsoft 365 Defender, customers can proactively locate threats\r\nrelated to this attack.\r\nTo locate emails that may be related to this activity, run the following query:\r\nEmailUrlInfo\r\n| where Url matches regex @\"\\bsites\\.google\\.com\\/view\\/(?:id)?\\d{9,}\\b\"\r\n| join EmailEvents on NetworkMessageId\r\n// Note: Replace the following subject lines with the one generated by your website's Contact submission form\r\nif no results return initially\r\n| where Subject has_any('Contact Us', 'New Submission', 'Contact Form', 'Form submission')\r\nTo find malicious downloads associated with this threat, run the following query:\r\nDeviceFileEvents\r\n|whereInitiatingProcessFileNamein~\r\n(\"msedge.exe\",\"chrome.exe\",\"explorer.exe\",\"7zFM.exe\",\"firefox.exe\",\"browser_broker.exe\")\r\n|\r\nwhereFileOriginReferrerUrlhas\".php\"andFileOriginReferrerUrlhas\".top\"andFileOriginUrlhas_any(\"googleusercontent\",\"goo\r\nAs this attack abuses legitimate services, it’s also important for customers to review mail flow rules to check for broad\r\nexceptions, such those related to IP ranges and domain-level allow lists, that may be letting these emails through.\r\nWe also encourage customers to continuously build organizational resilience against email threats by educating users about\r\nidentifying social engineering attacks and preventing malware infection. Use Attack simulation training in Microsoft\r\nDefender for Office 365 to run attack scenarios, increase user awareness, and empower employees to recognize and report\r\nthese attacks.\r\nhttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/\r\nPage 5 of 6\n\nEmily Hacker with Justin Carroll\r\nMicrosoft 365 Defender Threat Intelligence Team\r\nAdditional resources\r\nListen to Episode 28 of the Security Unlocked podcast, Contact Us; Phish You!, where threat analyst Emily Hacker speaks\r\nabout this new form of phishing email delivery\r\nSource: https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/\r\nhttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/"
	],
	"report_names": [
		"investigating-a-unique-form-of-email-delivery-for-icedid-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791224,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4cb348c40682bb1823bd537a62ee64666be9602f.pdf",
		"text": "https://archive.orkl.eu/4cb348c40682bb1823bd537a62ee64666be9602f.txt",
		"img": "https://archive.orkl.eu/4cb348c40682bb1823bd537a62ee64666be9602f.jpg"
	}
}