Exfiltration using ActionForms

ActionForms is a service that takes HTML form submissions and sends the results to an email address.

It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

Recent Detections

  • hxxp://url5746[.]piggy[.]eu/ls/click?upn=6Ak1L-2BzJ-2BtfpXRR172T...
  • hxxp://url5746[.]piggy[.]eu/ls/click?upn=6Ak1L-2BzJ-2BtfpXRR172T...
  • hxxp://url5746[.]piggy[.]eu/ls/click?upn=6Ak1L-2BzJ-2BtfpXRR172T...
  • hxxps://siasky[.]net/EABFipXuOTYrQ2S64NVd6ONSb1FKOMKprscPcBOZv_m...
  • hxxps://url6061[.]payhoa[.]com/ls/click?upn=VrEXJUlZN9kSfNYT0r3r...
  • hxxps://siasky[.]net/EABGbZttGKo8-e_Id1zg6dsnRI3uN6t8WpDmjLYkPa8...
  • hxxps://url6061[.]payhoa[.]com/ls/click?upn=VrEXJUlZN9kSfNYT0r3r...
  • hxxps://url6061[.]payhoa[.]com/ls/click?upn=VrEXJUlZN9kSfNYT0r3r...
  • hxxps://siasky[.]net/EABU7xi-xSNyNXDLiSyWf12BGCgDNa982i-0gBgnw16...
  • hxxps://siasky[.]net/EAD5vYLxRFvAFLh46sDjqpw6HwXIHfWvHzlMgMdT1ah...

IOK Rule (edit)

title: Exfiltration using ActionForms
description: |
  ActionForms is a service that takes HTML form submissions and sends the results to an email address.

  It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
related:
  - getform-io

detection:
  formAction:
    html|contains: "action=\"https://www.actionforms.io/e/r/"
  condition: formAction

tags:
  - exfiltration