Exfiltration using ActionForms

ActionForms is a service that takes HTML form submissions and sends the results to an email address.

It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Recent Detections

  • hxxps://siasky[.]net/EABU7xi-xSNyNXDLiSyWf12BGCgDNa982i-0gBgnw16...
  • hxxps://siasky[.]net/EAD5vYLxRFvAFLh46sDjqpw6HwXIHfWvHzlMgMdT1ah...
  • hxxps://siasky[.]net/EADMqdGNXIbqfRjWWULMP3dfBH4aKob4dZ0uJawXC-b...
  • hxxps://url6405[.]circle[.]so/ls/click?upn=kwbwkXnZT32McfWCrnlzo...
  • hxxps://siasky[.]net/EAC2LE23gnKd9z4EsGa4pDkpOSbWWdXbDIhLUi1jG38...
  • hxxp://siasky[.]net/EAAnn93S8JKozj14nFnhbQE-PGE_sV0gbyLJKfOKEtaN...
  • hxxps://siasky[.]net/EAAnn93S8JKozj14nFnhbQE-PGE_sV0gbyLJKfOKEta...
  • hxxps://siasky[.]net/EACcBFwL67GyApscHhruYEjprhrBaCaERI17ya1nLxP...
  • hxxps://siasky[.]net/EAD1ZwqLhlYpvxjvJNBMkkl0DqULd_V2XTKS3ciE1JK...
  • hxxps://siasky[.]net/EACxxJR4TA8BEeoCe3M-fzgq04Nnc6s7ZiZYOMKMef_...

IOK Rule (edit)

title: Exfiltration using ActionForms
description: |
  ActionForms is a service that takes HTML form submissions and sends the results to an email address.

  It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
related:
  - getform-io

detection:
  formAction:
    html|contains: "action=\"https://www.actionforms.io/e/r/"
  condition: formAction

tags:
  - exfiltration