Exfiltration using formspree.io

Formspree is a service that takes HTML form submissions and sends the results to an email address.

It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.

IOK Rule (edit)

title: Exfiltration using formspree.io
description: |
  Formspree is a service that takes HTML form submissions and sends the results to an email address.

  It can be used by threat actors building "serverless" phishing pages i.e. where they don't have a backend server that can send emails or store logs.
related:
  - id: getform-io

detection:
  formAction:
    html|contains: "action=\"https://formspree.io/f/"
  condition: formAction

tags:
  - exfiltration