Monday.com removes “Share Update” feature abused for phishing attacks


Project management platform Monday.com has removed its “Share Update” feature after threat actors abused it in phishing attacks.

Monday.com is a cloud-based project management platform that allows teams to organize and manage their work using automated workflows and dashboards. The platform is used by 225,000 customers, including Coca-Cola, Canva, LionsGate, Oxy, Compass, and Zippo.

On Tuesday, Monday.com customers told BleepingComputer they were concerned that the company was compromised after receiving phishing emails from its email accounts.

These emails were sent using SendGrid and came from notifications@monday.com, passing SPF, DMARC, and DKIM authentication.

The phishing emails pretended to come from a “Human Resources” department, asking users to either acknowledge the “organization’s workplace sex policy” or submit feedback as part of a “2024 Employee Evaluation.”

A phishing email sent through Monday.com
A phishing email sent through Monday.com
Source: BleepingComputer

Embedded in the emails were links containing shortened URLs, such as tinyurl.com, that led to phishing forms on formstack.com. The forms associated with these phishing campaigns have since been disabled, so BleepingComputer does not know what information was being collected.

After contacting Monday.com about the phishing attacks earlier this week, they told BleepingComputer today that the attacks were conducted through their ‘Share Update’ feature.

“We were made aware of the misuse of a monday.com feature named “Share Update,” which allows users to share an update with someone who isn’t a member of their account,” a Monday.com spokesperson told BleepingComputer.

“Unfortunately, a user misused this feature by sending a phishing message. We promptly suspended this user and removed the feature.”

“This feature has no connection to data hosted on monday.com or access to any customer accounts or data. We have reached out and shared precautions with the email recipients of the phishing message.”

Monday.com says that the threat actor abused this feature by inputting a list of email addresses to which a notification should be sent, which can include people outside of their organization.

When asked how many people received an email, they declined to answer for security reasons but said they contacted all recipients to warn them of the phishing emails.

For those who used the ‘Share Update’ feature, Monday.com told BleepingComputer that it is under review and cannot provide a timeline for when or if the feature will be restored.



Source link