Popular project management and collaboration tool Monday.com was forced to disable one of its features after it was abused by a threat actor to send out phishing emails.
The “Share Update” feature allows users to share real-time updates, progress, or important information with team members, or stakeholders. Users can post updates, attach files or images, mention specific team members, and even set up automatic notifications for certain updates.
But a threat actor has now hijacked the feature to send out mass emails to people outside their account, leading to monday.com having to temporarily disable it.
No customer data compromised
The company told BleepingComputer it was made aware of phishing emails seemingly coming from its email accounts. The emails were sent via SendGrid, and were coming from the [email protected] address. They passed SPF, DMARC, and DKIM authentications.
The messages pretended to come from the Human Resources department and asked the recipients to acknowledge the “organization’s workplace sex policy” or submit feedback as part of a “2024 Employee Evaluation.”
In the body of the email was a link, shortened with an URL shortener service, leading to a phishing form hosted on formstack.com. Since the forms have been removed in the meantime, we don’t know what kind of information the attackers were after. We also don’t know how many of these emails were sent.
“Unfortunately, a user misused this feature by sending a phishing message. We promptly suspended this user and removed the feature,” the company confirmed to the publication in a statement. “This feature has no connection to data hosted on monday.com or access to any customer accounts or data. We have reached out and shared precautions with the email recipients of the phishing message.”
Monday.com is a major project management platform, used by the likes of Uber, Canva, Coca-Cola, and others.