You’ve probably filled out a Google Forms survey at least once — likely signing up for an event, taking a poll, or gathering someone else’s contacts. No wonder you did — this is a convenient and easy-to-use service backed by a tech giant. This simplicity and trust have become the perfect cover for a new wave of online scams. Fraudsters have figured out how to use Google Forms to hide their schemes, luring victims with promises of free cryptocurrency. And all the victim has to do to fall into the trap is click a link.

Free crypto is only in a scammer’s trap

Just like parents tell their kids not to take candy from strangers, we recommend being cautious about offers that seem too good to be true. Today’s story is exactly about that. Our researchers have uncovered a new wave of scam attacks exploiting Google Forms. Scammers use this Google service to send potential victims emails offering free cryptocurrency.

As is often the case, the scam is wrapped in a flashy, tempting package: victims are lured with promises of cashing out a large sum of cryptocurrency. But before you can get your payout, the scammers ask you to pay a fee — though not right away. First, you have to click a link in the email, land on a fake website, and enter your crypto wallet details and your email address (a nice bonus for the scammers). And just like that, you wave goodbye to your money.

If we take a closer look at these emails, we’ll see that they don’t exactly win any awards for looking legit. That’s because, while Google Forms is a free tool that allows anyone, including scammers, to create professional-looking emails, these emails have a very specific look that’s pretty hard to pass off as a real crypto platform notification. So why do scammers use Google Forms?

Because this allows the message to slip through email filters, and there’s a good reason for that. Email messages like these are sent from Google’s own mail servers and include links to the domain forms.gle. The links look legit to spam filters, so there’s a good chance these messages will make it into your inbox. This is how scammers exploit the good reputation of this online service.

Google Forms scams are on the rise. According to some experts, the number of these scams increased by 63% in 2024 and likely continues to grow in 2025. That means one thing: you need to share this post right now with your loved ones who are just starting to explore the internet. Tell them about the most common types of scams today and how to protect themselves.

Protecting yourself from Google Forms scams

The easiest and most effective approach is to rely on a trusted security tool that alerts you whenever you try to visit a phishing website. What are some other things you can do?

• Avoid following links in emails you weren’t expecting. Chances are, there’s nothing good behind them.
• Avoid entering your personal information on suspicious websites. If your curiosity gets the better of you and you do click a link in an email, be absolutely sure not to enter any payment or personal information.
• Remember the free lunch. Alert: there is no such thing. Watch out for offers promising payments or prizes — especially if they ask you to pay a commission upfront.
• Learn how other types of scams operate and share the news of the latest threats with your loved ones.

If you’ve grown tired of all the Google Forms scams, you can set up a filter for the phrase “Create your own Google Form” in your email client. Every single Google Forms email contains that phrase, so the filter will move any messages with the text right to the spam folder. The problem with this approach is that you might miss legitimate emails from Google Forms. Here’s how to block these emails in Gmail and Outlook.

Read about other tricks that scammers have up their sleeves:

• Turnkey phishing
• You’re in for a big payout again
• Lessons from the Bybit hack: how to store crypto safely
• You found a seed phrase from someone else’s cryptowallet: what could go wrong?
• You’ve been sent a “gift” — a Telegram Premium subscription

Kaspersky official blog – ​Read More

ANY.RUN’s services processes data on current threats daily, including attacks affecting supply chains. In this case study, we analyze examples of DHL brand abuse. The company is a leading global logistic operator, and attackers exploit its recognition to send phishing emails, potentially targeting its partners.  

We will demonstrate how ANY.RUN’s solutions can be used to identify such threats, collect technical indicators, and enhance security. Here are the key findings. 

Key Takeaways 

• Supply chain attacks are on the rise: adversaries actively exploit third-party relationships. 

• Real-world example: attackers impersonated DHL in phishing emails targeting partner organizations, like Meralco, using fake domains and deceptive attachments to collect credentials. 

• HTML attachment bypasses filters: lesser-known file extensions are used. 

• Credential theft via third-party form service: analysis with HTTPS MITM revealed a POST request containing plaintext credentials sent to a unique endpoint. 

• Shared visual lures identified by image hash: the DHL-themed image in the phishing email was reverse-searched via its SHA256 hash, revealing five other phishing campaigns using the same lure. 

• DHL-imitating domains and filenames as indicators: analysts identified 39 phishing domains (e.g., dhlshipment*, -dhl.) and over 300 malware samples with DHL-themed filenames (e.g., dhlreceipt*.pdf) — exposing common obfuscation patterns and phishing themes used to trick users. 

Supply Chain Attack Growing Dynamics 

A supply chain attack is a type of cyberattack where adversaries gain access to a target organization by compromising a less protected external participant in the interaction chain: a contractor, a supplier, a technology partner, or another link. 

The data from Cyble reveals supply chain attacks steady growth. From October 2024 to May 2025, an average of more than 16 incidents per month has been recorded, a 25% increase from the previous eight-month period. A sharp spike in activity was observed in April and May 2025. This dynamic indicates growing attacker interest in this attack model and its increasingly widespread use in real campaigns. 

Real-world examples include the Scattered Spider group’s attack on Australian airline Qantas. The attackers penetrated through a third party (contact center), which is typical for such attacks.

DHL Brand Abuse in Phishing Campaigns 

Suppose we are information security specialists at a company that collaborates with DHL and could be used by attackers as an intermediate link in the attack chain. 

Our task is to detect timely phishing emails disguised as official correspondence from DHL. Such messages may target company employees, contractors, or other DHL partners. 

To identify such activity, we use ANY.RUN’s YARA Search — we’ll create a rule that allows us to find .eml files mentioning DHL in the From, To, and Subject headers. This will help collect indicators, identify malicious attachments, and assess potential risks to our infrastructure. 

The search delivered over 110 files and associated analysis sessions (tasks) from the ANY.RUN’s Interactive Sandbox. This data allows us to: 

• Identify malicious campaigns that exploit the DHL brand, including cases of possible compromise of official email accounts and infrastructure of the company or its contractors. 

• Obtain technical indicators.  

• Identify applied tactics, techniques, and procedures (TTPs).  

• Classify the malware involved.

Not all found objects contain malicious payloads, but many are interesting from an analytical perspective, as examples of malicious brand abuse. 

How to Detect DHL-themed Phishing in Your Infrastructure 

To effectively detect and analyze DHL-themed phishing attempts within your infrastructure, consider the following practices: 

Scan Your Endpoints with YARA Rule 

Utilize a YARA rule to scan your email endpoints for any emails related to DHL. Here’s an example of a YARA rule you can use: 

This rule helps identify emails that mention DHL in the subject line, sender, or recipient fields. 

Analyze Suspicious Emails, Files, and URLs in ANY.RUN’s Interactive Sandbox 

ANY.RUN’s Interactive Sandbox allows you to safely open and interact with suspicious files and URLs.  

You can safely open emails and click through any attachments or links within a controlled environment. This helps in understanding the full attack chain from the initial phishing email to the execution of any malicious payloads. 

Use TI Lookup to Gather Context on Alerts 

Leverage ANY.RUN’s Threat Intelligence Lookup to quickly verify whether an artifact (URLs, file hashes, or even command line activities) involved in an alert within your company is associated with a specific attack.  

Gather context on the alerts by identifying related campaigns and understanding the broader context of the attacks. This helps in recognizing common tactics, techniques, and procedures (TTPs) used by attackers, allowing for faster and more accurate responses to potential threats. 

Case Study: Analyzing a Phishing Email targeting DHL counterparties 

We shall analyze in ANY.RUN’s Sandbox one of the emails found by YARA scanning.  

View sandbox analysis 

The email sender masquerades as DHL Express International. The “From” field displays the corresponding display name, but the actual sender address Haalasolamagic@cirrcor[.]com belongs to a third-party organization not affiliated with DHL. 

The email is directed to an address in the meralco[.]com[.]ph domain, belonging to Meralco, the largest energy company in the Philippines. Previously, DHL objects were mentioned in Meralco’s planned power outage notifications, and in May 2025, Meralco’s subsidiary MSpectrum announced a joint project with DHL Supply Chain Philippines. 

Based on this, we can assume that the cooperation between DHL and Meralco does exist, and the attackers’ use of such an addressee may not be coincidental. 

The email looks like a part of an attempt at a supply chain attack. The email is not directed to DHL, but to an organization affiliated with it. The use of corporate identity and business context may be part of a scenario where attackers try to gain access to the main target through its partners or contractors — a typical technique in targeted campaigns. 

IMPORTANT: Please report all instances of DHL impersonation to the company’s official Anti-Abuse Mailbox.

Email Content Analysis 

The email body uses DHL’s corporate identity and phrasing typical for business correspondence. The recipient is asked to open an attachment — a file named “Draft BL & Shipping Invoice.shtm,” allegedly containing a preliminary invoice and waybill for confirmation. The .shtm (a variant of .html) extension is likely used for masking and bypassing email filters. 

When the attached file is opened in a browser, a DHL-styled web page is displayed with a password submission form. The user is asked to authenticate to view an allegedly encrypted document supposedly sent from DHL. This is typical for phishing pages imitating official delivery services and used to collect credentials. 

Network Activity Analysis 

The network activity generated while interacting with this form contains a request to submit-form[.]com.  

This service is used to collect data entered in HTML forms and allows redirecting it directly to a specified email address. 

If we try to analyze the network request sent when entering data into the form, we’ll only see a connection through port 443. The connection is encrypted, and its content, including the entered password, is not available for viewing without applying MITM methods. 

MITM Analysis

To get more information, we restart the analysis of this email in ANY.RUN’s Sandbox with the HTTPS-MITM-PROXY (MITM) function enabled to get access to the network packet contents.  

View analysis  

In the new analysis with MITM enabled, we open the attached .shtm file and enter a password in the form, for example “password999,” then click “View Document”. 

Going to the HTTP Requests tab, we find a POST request sent to https://submit-form[.]com/7zFSu099A.  

The request contents confirm the transfer of entered data: the request body contains form field values, including the entered password. This proves that the attacker uses the third-party service submit-form[.]com to collect authentication data entered by the victim on the phishing page. 

Submit-form dot com Usage Analysis 

Using ANY.RUN Threat Intelligence Lookup to check the submit-form[.]com domain and related campaigns, we find more than 200 public analyses featuring the website. Most are marked as malicious: attackers actively use submit-form[.]com to intercept data entered on phishing pages, including passwords and email addresses. 

domainName:”submit-form.com” 

Now we can estimate the relevance and scale of such threats and make decisions about blocking/monitoring of this domain. 

Image-Based Search for Similar Attacks 

To find additional indicators of similar attacks, we have analyzed the image imitating DHL design used in the email above. Using this image, we can find other phishing campaigns using the same file, thus expanding our set of indicators and understanding of brand abuse scale. 

We extract the image’s SHA256 hash from the static analysis and perform a search for the image through ANY.RUN’s TI Lookup.   

The search returns 5 analyses featuring identical images. They were used in campaigns targeting various addresses that may belong to potential contractors, clients, or company employees. 

These analyses allow us to study additional social engineering techniques and various phishing strategies and to collect threat indicators: email subjects, sender IP addresses, malicious domains.  

Identifying Malicious Domains Imitating DHL 

Now we search for domains that imitate official DHL resources to understand what phishing domains might be used to masquerade as partner organizations. This helps us understand: 

• What tactics and methods attackers use. 

• How such resources are designed (appearance, structure, content copying).

• What payload they may distribute. 

A simple query in ANY.RUN’s TI Lookup allows us to find phishing domains imitating DHL, focusing on typical patterns used in the logistics industry, including campaigns masquerading as delivery notifications, documents, or cargo movements. 

domainName:”–dhl.” or domainName:”dhlshipment*” OR domainName:”dhldocument*” 

The query results provide access to 39 public analyses containing the specified patterns. This data can be used to enrich IOC collection and improve phishing detection and filtering by security systems.  

Analyzing Files Imitating Legitimate DHL Attachments 

Additionally, we can search for the names of files uploaded to ANY.RUN that contain mentions of the partner company. This analysis helps to: 

• Identify popular malware distribution schemes abusing DHL. 

• Determine which malware families are employed. 

• Collect related indicators — file names, hashes, attachments. 

• Obtain data on vulnerabilities used by attackers. 

Here is a TI Lookup query exposing files imitating legitimate DHL attachments:  
 
filePath:”dhlreceipt*” or filePath:”dhlshipment*” or filePath:”dhldelivery*” 

We have found over 300 analyses containing the requested patterns in file names. Not all of them are malicious, but a significant portion is worth analyzing for updating filters, detection rules, and raising awareness about DHL masquerading techniques in recent attacks.

Conclusion 

In this case study, we demonstrated how ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup can be used to identify threats related to potential supply chain attacks. Using DHL as an example, we analyzed activity targeting its partners and contractors — from phishing emails to impersonating domains. 

Such activity may be part of preparation for supply chain attacks. The presented methods allow timely identification of such risks and adaptation of approaches to the specifics of a particular organization. 

About ANY.RUN

Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.    

• Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions. 

• Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats.  

 Request a trial of ANY.RUN’s services to see how they can boost your SOC workflows. 

The post Beating Supply Chain Attacks: DHL Impersonation Case Study   appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

IBM QRadar SOAR is a go-to platform for incident response. To make things faster and easier for SOCs to use this powerful tool with ANY.RUN’s services, we built an official app. Now you can seamlessly launch different playbooks directly inside SOAR to streamline threat analysis, speed up investigations, and reduce Mean Time to Respond (MTTR) in your SOC.  

Here’s how your team can benefit from the new integration. 

Streamline Your SOC Workflows 

The app available on IBM Exchange allows SOC teams to start using ANY.RUN’s services in a more flexible and seamless way to detect threats and resolve incidents faster. The setup takes a few seconds as you only need an API key to connect your ANY.RUN account to QRadar SOAR, eliminating the need for custom development.  

With this integration, you can get IOCs and verdicts from the sandbox and indicator context from TI Lookup to simplify triage and enrich incident data. 

• Early Threat Detection: Real-time data from sandbox analyses and TI Lookup enable you to identify and respond to new attacks at their earliest stages. 

• Automation of Routine Tasks: Prebuilt playbooks enable automatic or manual actions, saving time for Tier 1 and Tier 2 analysts. 

• Reduced Response Times: Cuts incident analysis time by automating enrichment and analysis processes. Results feed directly into SOAR playbooks, enabling rapid isolation, blocking, or escalation based on your workflows. 

Proactive Threat Analysis with Interactive Sandbox 

ANY.RUN’s Interactive Sandbox is a cloud-based service for analysis of suspicious files and URLs. It provides SOC teams with instant access to fully interactive Windows, Linux, and Android virtual machines, allowing you to engage with the system and the sample at hand and detonate every stage of the attack, from opening an email attachment to solving a CAPTCHA. 

The sandbox logs and marks malicious network traffic, processes, registry and file modifications, providing instant visibility into the threat’s behavior. For each analysis, it generates a comprehensive report with a threat level verdict, IOCs, and TTPs.  

With IBM QRadar SOAR integration, your SOC team can use the Automated Interactivity of the Sandbox to:  

• Triage Files and URLs: Send suspicious files or URLs from IBM QRadar SOAR to ANY.RUN’s Sandbox for instant analysis, reducing manual effort. 

• Gain Deep Behavioral Insights: Access detailed logs of malicious activities, including network traffic, processes, and file changes, for thorough threat understanding. 

• Auto-Detonate Multi-Stage Attacks: Take advantage of Automated Interactivity for automated execution of user actions such as archive extraction, CAPTCHA solution, and payload launching to reach the final stage of the attack and ensure complete detection. 

For the most accurate results, it’s recommended to avoid manual interference during the sandbox session. Let the analysis run to completion, so all behavior stages can be observed and properly logged. 

Instant Incident Enrichment with TI Lookup 

Threat Intelligence Lookup contains a database of fresh Indicators of Compromise (IOCs), Behavior (IOBs), and Action (IOAs) extracted from live sandbox analyses of active malware and phishing attacks across 15,000 organizations.  

It lets you search across various types of indicators, from IPs and domains to mutexes and registry keys. Since all data comes from real-time detonation of threats, TI Lookup always offers fresh indicators, available within hours and even minutes after the attack happened.  

With IBM QRadar SOAR integration, your SOC team can use TI Lookup to:  

• Enrich Incidents Automatically: Pull detailed threat intelligence for key indicator types, including DNS Name, File Name, File Path, IP Address, MD5, SHA-1, SHA-256, Mutex, Port, Process Name, Registry Key, and URL, directly into SOAR incidents. 

• Add Behavioral Threat Context: Enhance indicators with behavioral insights from live sandbox analyses, providing deeper context for threat understanding. 

• Speed Up Threat Assessment: Use fresh, high-quality data from 15,000 organizations to quickly evaluate and prioritize potential threats. 

What Your Team Gains: Business and Operational Benefits 

The IBM QRadar SOAR integration with ANY.RUN delivers measurable performance gains across your SOC, improving key metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), while enhancing decision-making at every level. 

• Cost and Time Savings: Lower analyst workload by automating repetitive tasks, allowing focus on critical threats. 

• Increased SOC Efficiency: Streamline triage, investigation, and escalation for Tier 1 and Tier 2 analysts with built-in automation and enriched data, reducing alert fatigue and manual steps. 

• Enhanced Decision-Making and Process Improvement: Use detailed Sandbox reports and enriched data to create more effective rules, update response playbooks, and train detection models. 

• Proactive Threat Management: Detect emerging threats earlier with fresh, behavior-based data from real-time malware analysis. TI Lookup and Sandbox insights help you uncover stealthy or multi-stage attacks that traditional tools may miss. 

• Stronger ROI from Existing Tools: Maximize the value of your SOAR investment by extending its capabilities with behavioral analysis and contextual enrichment, no additional infrastructure required. 

How to Get Started 

Getting started with the ANY.RUN app in IBM QRadar SOAR takes just a few steps: 

1. Install the App from IBM App Exchange 

Simply find the official ANY.RUN app and install it in your SOAR environment; no coding or custom development needed. 

2. Connect Using Your ANY.RUN API Key 

In the integration settings, add your API key to connect your ANY.RUN account. You can choose to activate: 

• TI Lookup only for real-time IOC enrichment 

• Sandbox only for dynamic file and URL analysis 

• Both modules together for full access to enrichment and behavioral analysis 

Both modules are available to paid ANY.RUN users and can be used independently or in combination, depending on your license. 

3. Use or Customize the Playbooks 

Use the pre-configured playbooks that come with the integration or customize them to fit your SOC workflows. 

4. Automate Enrichment and Analysis in Your Incidents 

Once configured, you can begin automating threat investigation steps directly within IBM QRadar SOAR: 

• Pull data from TI Lookup by sending artifacts (IPs, hashes, domains, etc.) and retrieving JSON-based enrichment with real-time threat intelligence 

• Send files and URLs to Sandbox and receive key indicators, behavioral tags, verdicts, and detailed reports (PDF/JSON), all injected back into the incident 

This lets your analysts make faster decisions, automate triage, and reduce response time without manual switching between tools. 

Integrate ANY.RUN with Other Solutions and Vendors 

ANY.RUN supports multiple integrations with popular security products. Check out the list to see how you can streamline workflows in your SOC.  

About ANY.RUN 

ANY.RUN is trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and beyond. Our services help security teams investigate threats faster and with greater confidence. 

Accelerate response times with our Interactive Sandbox: Analyze suspicious files in real time, uncover malicious behavior, and support quick decision-making. 

Enhance detection capabilities using Threat Intelligence Lookup and TI Feeds: Give your team the context they need to stay ahead of evolving cyber threats. 

Reach out to us for a 14-day trial of ANY.RUN’s service now → 

The post Turn Alert Noise into Threat Insights without Leaving QRadar SOAR with ANY.RUN  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Unknown malefactors are actively attacking companies that use SharePoint Server 2016, SharePoint Server 2019 and SharePoint Server Subscription Edition. By exploiting a chain of two vulnerabilities – CVE-2025-53770 (CVSS rating – 9.8) and CVE-2025-53771 (CVSS rating – 6.3), attackers are able to execute malicious code on the server remotely. The severity of the situation is highlighted by the fact that patches for the vulnerabilities were released by Microsoft late Sunday night. To protect the infrastructure, researchers recommend installing the updates as soon as possible.

The attack via CVE-2025-53770 and CVE-2025-53771

Exploitation of this pair of vulnerabilities allows unauthenticated attackers to take control of SharePoint servers, and therefore not only gain access to all the information stored on them, but also use the servers to spread their attack on the rest of the infrastructure.

Researchers at EYE Security state that even before the Microsoft bulletins were published, they had seen two waves of attacks using this vulnerability chain, resulting in dozens of servers being compromised. Attackers install web shells on vulnerable SharePoint servers and steal cryptographic keys that can later allow them to impersonate legitimate services or users. This way they can to gain access to compromised servers even after the vulnerability has been patched and the malware destroyed.

Relationship to CVE-2025-49704 and CVE-2025-49706 vulnerabilities (ToolShell chain)

Researchers noticed that the exploitation of the CVE-2025-53770 and CVE-2025-53771 vulnerability chain is very similar to the ToolShell chain of two other vulnerabilities, CVE-2025-49704 and CVE-2025-49706, demonstrated in May, as part of the Pwn2Own hacking competition in Berlin. Those two were patched by previously released updates, but apparently not perfectly.

By all indications, the new pair of vulnerabilities is an updated ToolShell chain, or rather a bypass of the patches that fix it. This is confirmed by Microsoft’s remarks in the description of the new vulnerabilities: “Yes, the update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”

How to stay safe?

The first thing to do is install the patches, and before rolling out the emergency updates released yesterday, you should install the regular July KB5002741 and KB5002744. At the time of writing this post, there were no patches for SharePoint 2016, so if you’re still using this version of the server, you’ll have to rely on compensating measures.

You should also make sure that robust protective solutions are installed on the servers and that the Antimalware Scan Interface (AMSI), which helps Microsoft applications and services to interact with running cybersecurity products, is enabled.

Researchers recommend replacing machine keys in ASP.NET on vulnerable SharePoint servers (you can read how to do this in Microsoft’s recommendations), as well as other cryptographic keys and credentials that may have been accessed from the vulnerable server.

If you have reason to suspect that your SharePoint servers have been attacked, it is recommended that you check them for indicators of compromise, primarily the presence of the malicious spinstall0.aspx file.

If your internal incident response team lacks the in-house resources to identify indicators of compromise or remediate the incident, we advise you to contact third-party experts.

Kaspersky official blog – ​Read More