Lead Analysts: Lucy Gee and James Dyer
Cybercriminals want their payday. Unfortunately for the targets of phishing (and the organizations they work for) that means they’re constantly refining their tactics to create more sophisticated attacks that are harder to detect – by both email security products and people.
Impersonation attacks enable cybercriminals to leverage the trusted relationships and – often – authority of people and brands that the recipient knows and trusts.
Business email compromise, for example, is one of the most effective methods for leveling up a phishing attack. Here, cybercriminals use a compromised legitimate email account to send phishing emails to contacts that are both unaffiliated with the sending address (e.g. contact lists they’ve obtained online) or – more effectively – to known contacts within the supply chain. The use of compromised accounts to send phishing emails enables them to:
- Pass email authentication, such as DMARC: Authentication checks are a key mechanism that native security and secure email gateways (SEGs) rely on to detect malicious emails. Phishing attacks sent from legitimate domains will “trick” the authentication mechanisms into considering them safe.
- Remove key signs of phishing: As the display name and email address will match, people can’t rely on looking for a mismatch to uncover an impersonation attack. Additionally, the email address will follow typical business format (e.g. first name ‘.’ surname) and come from an organization’s correct domain, again removing signs of an attack, such as unusually long email addresses and lookalike domains.
- Socially engineer the target: Where there isn’t a pre-existing relationship with the sending address, people may still be taken in by a well-constructed attack, believing this contact is establishing a new interaction. This ramps up considerably with a pre-existing relationship as, previously, the target has had no reason not to trust the sender’s address.
This combines to increase the success rates for phishing attacks – and cybercriminals know it! Over half (59.1%) of attacks detected by KnowBe4 Defend in 2025 have been sent from compromised accounts. That’s a 34.9% increase compared with 2024.
Now, unfortunately, cybercriminals have evolved their attacks further. Rather than just business email compromise, here we’re talking about entire business compromise, which offers broader, faster and more credible access.
Our Threat Lab team has observed an increase in a new and more efficient attack method – and one that doesn’t require any account compromise at all.
An Emerging Phishing Attack: Hijacking Legitimate Web Forms
Since September 11th, 2025, our Threat Lab team has observed an emerging attack of cybercriminals exploiting companies through their Contact Us or Book Appointment Forms, which are readily available on most websites. These forms allow users to enter their email address and a custom message, typically triggering an automated email response from the organization.
However, it’s also relatively easy for attackers to utilize these forms to launch phishing campaigns by:
- Creating a new “onmicrosoft” domain using the display name they wish to impersonate and any contact details they want to use in the attack (e.g. a phone number)
- Setting up mailflow rules to auto-forward any emails – such as “Contact Us” auto-confirmation emails – to a distribution list of targets
- Completing the online form with their “onmicrosoft” email address, plus any other contact details they want the target to use and a message
Our research indicates that this technique is primarily exploiting web forms in the legal, banking, healthcare and insurance sectors.
Read on for more detail and an example of how these attacks play out.
Phishing Attack Summary
Vector and type: Email phishing
Techniques: Technical, brand impersonation and mobile-focused
Targets: Microsoft 365 users
How Cybercriminals Use “Contact Us” Forms to Phish an Organization
Prior to sending the phishing email to their targets, the attacker creates a free “onmicrosoft” account. For security reasons, we have blurred this in below example, however we have left the domain visible:
A free account a cybercriminal has set up using “onmicrosoft”.
While setting up the account, the attacker also populates the display name for their impersonation – in the example we’re analyzing here, the cybercriminal used PayPal to link to a pretext of financial fraud (which we examine in more detail below). The cybercriminal also added a phone number, which in this case, is the payload for the attack.
Once the account set-up is complete, the cybercriminal then creates a mailflow rule that auto-forwards all inbound emails to a distribution list they have populated. This list will often contain thousands of recipients, who are targets for the attack.
Next, the cybercriminal will find the legitimate online form(s) they want to use via a company’s real website. In the example analyzed below, they have chosen a National Bank of Canada form that enables them to request an appointment.
Below is the automated email that was triggered when the cybercriminal completed the form and then was subsequently auto-forwarded to the distribution list within the “onmicrosoft” account.
As the email is sent by an automated system used by National Bank of Canada, the “From” address is completely legitimate and all hyperlinks come from National Bank of Canada. Consequently, it passes authentication checks, such as DMARC, that are relied on by secure email gateways (SEGs) and Microsoft. What’s more, these factors, plus the stylized HTML formatting, can also influence the recipient into believing this is a legitimate (and therefore safe) email.
Phishing email that hijacks a legitimate automated email from National Bank of Canada, with KnowBe4 Defend anti-phishing banners applied.
The form the attacker completed allowed them to request an appointment with one of the bank’s representatives. Consequently, the automated email has a calendar event inserted into it alongside templated text that follows the typical structure of an appointment confirmation, such as the date and time of the meeting, and the bank representative’s details.
When completing the form, the attacker used the available fields to add a pretext and their payload, which in this case is a phone number.
The Pretext: The message details “unusual activity” on the target’s account, amounting to a transaction of $724.46 via PayPal. The amount – which is mentioned twice for double the effect – is significant enough to draw the recipient’s attention and potentially cause them to panic about lost funds.
When completing the form, the cybercriminal used the following in the “Name” field:
The content used by the cybercriminal in the “Name” field on the online form, which helps create the pretext for their attack.
The form also allowed them to add a message, which is also auto-populated within the confirmation email. Again, the cybercriminal uses this to further their pretext of financial fraud:
Further pretext information added to the online form by the cybercriminal to socially engineer their victim.
The Payload: The cybercriminal has used the “Name”, “Phone Number” and “Message” fields on the online form to insert a phone number that the recipient can use to, supposedly, contact the bank. The template used for the automated response is set to populate this information throughout the confirmation email.
Contact information supplied by the cybercriminal when completing the form, which is auto-populated through the confirmation email. The phone number acts as the payload in this attack.
This number is offered as a way to manage the appointment and to contact the bank about the fraudulent charge. By continuing the attack over the phone, the cybercriminal can exploit a recipient’s heightened emotion to manipulate them further to extract more information from them, such as personal and financial details that can be used for actual fraud.
Detecting an Emerging Phishing Attack Campaign
Unfortunately any organization that has a web form on their site is vulnerable to it being exploited in this way – and our Threat Lab team predicts this type of attack will increase over the next few months as cybercriminals continue to engineer their attacks to bypass perimeter technology and socially engineer their targets.
Although exploiting webforms is a new attack type, it fits into a wider trend of cybercriminals hijacking legitimate platforms so their attacks benefit from both domain authority and brand trust.
Increasingly – and at a significant scale – we can no longer trust that a seemingly routine email was actually sent by the organization it seems to come from. It has, therefore, never been more important to add an email security layer that takes a zero-trust approach to detection, such as KnowBe4 Defend. This means all elements of every inbound email are analyzed holistically to assess whether an email is secure – regardless of whether it’s sent from the trusted domain of a well-known brand. Additionally, organizations can leverage real-time threat intelligence to coach each individual about the specific attacks they face to help combat social engineering threats and challenge intrinsic biases (heuristics) that result in people automatically trusting branded communications.
This is the best defense for organizations to protect their people, customers, data and systems as phishing attacks continue to evolve to challenge both traditional technologies and the employees.
