Lead Researchers: James Dyer and Louis Tiley
Between May 5 and May 7, 2025, KnowBe4 Threat Lab identified a phishing campaign originating from accounts created on the legitimate service ‘EUSurvey’.
Although this was a focused campaign, on a smaller-scale to others identified by the team, it employed a combination of sophisticated techniques worth highlighting.
This attack demonstrates how phishing emails that appear to originate from official bodies, such as the EU, can create a false sense of recipient trust. This perceived legitimacy not only lowers the recipient’s guard but also increases the likelihood of interaction.
EUSurvey Attack Overview
All attacks in these campaigns were identified and neutralized by KnowBe4 Defend and analyzed by our Threat Labs team.
Vector and type: Email phishing
Primary techniques: Social engineering, polymorphic hyperlinks and payloads smuggling
Targets: Global
Platform: Microsoft 365
Bypassed native and SEG detection: Yes
EUSurvey is a legitimate platform that allows both EU and non-EU institutions to easily create and personalize surveys. In this campaign, the attacker(s) embedded a malicious payload within a survey notification email. Because the email originated from a legitimate domain, it was able to bypass standard email authentication protocols such as SPF, DKIM, and DMARC as explained below.
Using polymorphic hyperlinks to obfuscate the payload, the recipient is directed to a credential harvesting site, where attackers attempt to steal their login credentials and gain unauthorized access to sensitive systems or data.
EUSurvey Phishing Attack Example: A Phishing Email in Two Halves
First Half: The Malicious Polymorphic Payload
As noted, cybercriminals created an account on EUSurvey, which enabled them to send their phishing email using the legitimate domain ‘EU-EUSURVEY@nomail.ec.europa.eu’. This allowed the attack to bypass traditional email authentication protocols like SPF, DKIM, and DMARC, as these protocols primarily verify the sender's authorization and the email's integrity in transit.
Because the email originated from a legitimately authorized server and wasn't altered during delivery, these checks passed, making it easier for the attack to evade initial detection by native security and secure email gateways (SEGs). While the legitimate service's high domain reputation might have further contributed to the email's bypass of traditional detection systems, it's important to note that domain reputation isn't a direct component of these traditional authentication protocols themselves.
In the screenshot below, you can see the top half of the phishing email—this is the malicious portion, where the attacker has smuggled in a polymorphic hyperlink. Because each email contains a unique URL, this polymorphic design makes the attack significantly harder for traditional security solutions, such as SEGs, to detect. SEGs typically rely on reputation and signature-based detection, which depend on identifying known malicious links listed on blocklists. However, with polymorphic links, blocking one URL has little effect, as a new, unique link is used in the next email.
Screenshot of the EUSurvey phishing email with KnowBe4 Defend anti-phishing banners applied
The attacker uses social engineering by referencing “INV REMIT,” in the body of the email—a term commonly associated with “invoice remittance,” to suggest the email is financial in nature. By encouraging the recipient to click the link to view the details of this supposed remittance, the attacker increases the likelihood of engagement since messages involving payments or financial documents tend to prompt quicker attention and action—especially if they look like they are from an EU institution.
Second Half: The Hidden Legitimate Body Text
However, there is a second half to the attack. As this payload has been smuggled through a legitimate service, the original text still exists within the email—it has just been coloured white against a white background. The next screenshot shows what the recipient would see if they were to scroll down (on the left) versus what they would see if they scrolled down and highlighted the white space (on the right).
Side-by-side screenshots of the legitimate part of the phishing email with hidden white text and legitimate EUSurvey link
The attacker altered the text color to make some of the legitimate content less visible at first glance. This tactic reduces the likelihood that recipients would notice multiple survey invitations or links which could raise suspicion.
However, they were unable to change the color of the legitimate EUSurvey hyperlink, as it is formatted as a standard hyperlink and remains clearly visible. This link leads to a basic feedback survey, which can help the phishing email bypass traditional detection tools, as less sophisticated link scanners may only detect the benign survey link and classify the message as non-malicious.
Screenshot of the legitimate EUsurvey site linked in the second half of the phishing email
The Second Step of the Attack: Verification and Credential Harvesting to Bypass Link Scanning Technology
If the recipient clicks on the malicious link at the top of the email, they are taken to a fake verification page. Functioning like a pseudo-captcha, this intermediary step is designed to obscure the final destination from link scanning tools. By requiring user interaction, it prevents many detection tools from reaching the actual credential harvesting site, meaning it is less likely to be flagged as suspicious.
The ultimate goal of the attack was to harvest credentials. Recipients were directed to a malicious site and encouraged to enter their details. These credential harvesting sites have since been blocked to prevent further compromise.
Screenshot of the fake verification site where the recipient needs to input a code
Detecting Advanced Phishing Threats
While this wasn’t the most widespread attack, with clear flaws—due to the inability to fully mask the original legitimate link—the use of a respected site affiliated with the EU shows how cybercriminals are pivoting their attacks across legitimate platforms. This attack also fits into a growing trend where threat actors send phishing emails through legitimate services such as AppSheet, Microsoft, Google, QuickBooks, and Telegram.
Combined with polymorphic links and payload smuggling, this campaign demonstrates a fairly sophisticated approach designed to bypass detection technologies commonly used in Microsoft 365 and secure email gateways (SEGs). As a result, many organizations are turning to Integrated Cloud Email Security products (such as KnowBe4 Defend) that leverage AI to detect advanced phishing threats and prevent employees from interacting with malicious hyperlinks and attachments. Additionally, threat-based awareness and training, including flipping real phishing emails into training simulations (e.g. via KnowBe4 PhishER), educates employees on the phishing attacks they’re most likely to face.
With KnowBe4 Defend you can:
