Cybercriminals are increasingly abusing contact forms on websites to send phishing emails that appear to come from reputable organizations.
Researchers at the KnowBe4 Threat Lab have identified a new phishing tactic where cybercriminals use contact or appointment forms on websites. Instead of hacking email accounts, attackers simply fill out existing forms with false information. The confirmation emails that organizations automatically send back are then used as a means to deceive victims.
Deception via Contact Forms
The method was first identified in September 2025. Attackers do not need to compromise systems to launch their phishing campaigns. Because the emails originate from trusted domains, they often succeed in bypassing security checks. Recipients are more likely to trust such messages, increasing the attackers’ chances of success.
read also
Microsoft Teams Vulnerabilities Allowed Hackers to Impersonate Colleagues
KnowBe4 describes three fixed steps in this process: attackers create a free email account via, for example, Microsoft, configure it to resemble an existing organization, and then fill out contact forms with that address and their own phone numbers or emails. When the organization sends a confirmation email, it is automatically forwarded to a list of potential victims.
Simple Method
This approach requires less technical effort than traditional phishing. Criminals no longer need to take over accounts or manipulate email servers. This makes the attacks more widely applicable and harder to detect. Data from KnowBe4 shows that in 2025, 59 percent of all phishing attacks originate from compromised accounts. The rise of this new technique could further impact that figure.