Exfiltration using ActionForms

ActionForms is a service that takes HTML form submissions and sends the results to an email address.

It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Recent Detections

  • hxxps://mrtree-services[.]com/
  • hxxps://bafybeialzn4qc2mdj2qsedohzpl6tsslb7twpqtp7jaavyvft5lhz3w...
  • hxxp://5hmwu-cyaaa-aaaad-qet2a-cai[.]raw[.]ic0[.]app/
  • hxxps://5hmwu-cyaaa-aaaad-qet2a-cai[.]raw[.]ic0[.]app/
  • hxxps://eaglemountainc[.]github[.]io/yamoo/
  • hxxp://url5746[.]piggy[.]eu/ls/click?upn=6Ak1L-2BzJ-2BtfpXRR172T...
  • hxxp://url5746[.]piggy[.]eu/ls/click?upn=6Ak1L-2BzJ-2BtfpXRR172T...
  • hxxp://url5746[.]piggy[.]eu/ls/click?upn=6Ak1L-2BzJ-2BtfpXRR172T...
  • hxxps://siasky[.]net/EABFipXuOTYrQ2S64NVd6ONSb1FKOMKprscPcBOZv_m...
  • hxxps://url6061[.]payhoa[.]com/ls/click?upn=VrEXJUlZN9kSfNYT0r3r...

IOK Rule (edit)

title: Exfiltration using ActionForms
description: |
  ActionForms is a service that takes HTML form submissions and sends the results to an email address.

  It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
related:
  - getform-io

detection:
  formAction:
    html|contains: "action=\"https://www.actionforms.io/e/r/"
  condition: formAction

tags:
  - exfiltration