Popular project management and collaboration tool Monday.com was forced to disable one of its features after a threat actor abused it to send phishing emails.
The “Share Update” feature allows users to share updates, progress or important information in real time with team members or interested parties. Users can post updates, attach files or images, mention specific team members, and even set up push notifications for certain updates.
But a threat actor has hijacked the feature to send mass emails to people outside your account, leading monday.com to have to temporarily disable it.
No customer data compromised
The company said beepcomputer was informed about phishing emails that appeared to come from his email accounts. The emails were sent via SendGrid and came from the address [email protected]. SPF, DMARC and DKIM authentications passed.
The messages purported to come from the Human Resources department and asked recipients to acknowledge the “organization's sexual policy in the workplace” or submit feedback as part of a “2024 Employee Review.”
In the body of the email was a link, shortened with a URL shortening service, that led to a phishing form hosted on Formstack.com. Since the forms were deleted in the meantime, we don't know what kind of information the attackers were looking for. We also don't know how many of these emails were sent.
“Unfortunately, a user misused this feature by sending a phishing message. We immediately suspended this user and removed the feature,” the company confirmed to the publication in a statement. “This feature has no connection to data hosted on monday.com or access to any account or customer data. We communicate and share precautions with recipients of the phishing email email.”
Monday.com is a major project management platform, used by companies like Uber, Canva, Coca-Cola, and others.
