Trusted Vendor, Attacker's Form: How a Compromised Lab Account Delivered a Zoho Credential Harvest

The email came from a real person at a real company. Not a spoofed address, not a lookalike domain. A vendor contact at a contract research laboratory with a history of legitimate business communication. The message carried an image attachment with a prominent green button. The button linked to Zoho Forms.

Four employees at a specialty ingredients company received it. Each one was one click away from handing over credentials to a form controlled entirely by an attacker.

The Compromised-Account Delivery Mechanism

Attackers who obtain credentials to a legitimate corporate email account gain something more valuable than an inbox. They gain a trusted sending identity. When that identity has prior communication history with a target organization, the attack acquires a plausibility that no spoofed domain can replicate.

In this case, an employee at a contract research laboratory had her account compromised. The attacker used that account to send a message to multiple recipients at a client organization. The email subject referenced a new project or onboarding workflow, which aligned with the type of communication such a vendor relationship might legitimately generate.

SPF passed. DKIM passed. DMARC passed. The sending domain was established, not newly registered. There were no authentication anomalies. From the perspective of the mail infrastructure, this was a routine B2B message.

Account takeover attacks against corporate accounts are a consistent feature of credential-harvest campaigns precisely because of this effect. The attacker does not need to build trust from scratch. They inherit it.

The SaaS Form Evasion: Why Zoho Was the Attacker's Choice

The link in the message pointed to a publicly hosted form on forms.zohopublic[.]com. Zoho Forms is a legitimate SaaS product used by tens of thousands of organizations for surveys, onboarding flows, data collection, and contract requests. The platform is not blocklisted. Its domain does not appear on threat intelligence feeds as a known-bad host.

This is the core evasion mechanism: by hosting the credential-harvest page on trusted SaaS infrastructure, the attacker ensures that URL reputation checks return clean results. A gateway that blocks evil-domain[.]com will not block forms.zohopublic[.]com because blocking that domain would also block every legitimate Zoho Forms deployment across the customer base.

The attacker's form URL contained an organization slug that bore no relationship to the contract laboratory the email purported to come from. The path embedded a project name that did not match anything in the sending company's known business lines. These are structural misalignment signals, but they require reading the URL carefully rather than just checking the domain.

See Your Risk: Calculate how many threats your SEG is missing

Image CTA: Keeping the Hook Out of the Text Layer

The delivery mechanism for the form link was an image attachment with a styled green button, not a hyperlink in the message body. This mirrors the OCR evasion pattern seen in image-only invoice fraud, applied here to credential harvesting rather than payment fraud.

An email body containing a Zoho Forms URL and text like "click here to complete your onboarding" might be flagged by keyword filters or URL inspection tools depending on context. An image attachment containing a button graphic generates a visual CTA without producing parseable text in the message body. The effective link is embedded in the attachment's clickable image map, requiring the recipient to engage with the rendered image.

The combination of a compromised-account sender, an image-based CTA, and a SaaS-hosted destination was designed to clear multiple independent inspection layers. None of the individual components is a strong signal on its own. Together they formed a delivery chain calibrated against common gateway defenses.

What the Compromised Lab Account Revealed

IRONSCALES Adaptive AI assessed this at 62% confidence with a Credential Theft classification. The detection rested on behavioral signals rather than technical blocking. The sender analysis flagged a mismatch between the established account and an unusual sending pattern toward this recipient group. The link analysis identified the Zoho form's organization slug as inconsistent with the stated sender identity. The attachment was flagged as an image carrying an embedded CTA with no corresponding explanatory text in the body.

The credential harvesting risk was assessed as probable rather than confirmed at this stage, because the form content was behind the URL and the body was not captured with sufficient detail to verify the exact harvest mechanism. The verdict reflects the structural signals: a compromised account, a SaaS form link, an image-CTA attachment, and four targeted recipients at a single organization.

Closing the Gap That SaaS-Hosted Phishing Exploits

MITRE ATT&CK T1566.002 covers spearphishing links, including links to attacker-controlled content hosted on legitimate platforms. The Verizon DBIR 2026 identifies credentials as present across 39% of breach kill chains. The IBM Cost of a Data Breach 2024 report shows that phishing-initiated breaches take longer to detect and contain, in part because the initial access looks like routine activity. IRONSCALES platform data shows gateways miss an estimated 67.5 phishing emails per 100 mailboxes monthly, and SaaS-hosted phishing is among the most consistently bypassed categories.

The Microsoft Digital Defense Report 2024 specifically calls out attacker use of legitimate cloud services as a growing delivery vector, noting that the trusted-domain problem requires solution strategies beyond URL blocklisting. CISA guidance recommends verifying unexpected requests from known contacts through a separate channel, which would catch a compromised-vendor attack even when authentication signals are clean.

The defensive lesson here has two layers. Technically: analysis of the specific path and organization slug in a SaaS URL, combined with sender-behavior anomaly detection, is more effective than domain-level reputation checking. Operationally: any vendor asking recipients to complete a form or provide credentials via an email CTA should be verified directly with the vendor before the form is submitted, regardless of whether the sender appears legitimate.

The attacker built this attack on the assumption that trust travels with the domain name. The defense is recognizing that it does not.

---