This threat involves scammers leveraging legitimate survey platforms, notably Yandex Surveys, to conduct phishing attacks by embedding malicious links within surveys that appear authentic. The attackers create surveys using Yandex's extended survey mode, replacing typical questions with text blocks containing scam pitches and embedded links to fraudulent websites. They enhance credibility by uploading official logos and images, often related to cryptocurrency exchanges, to lure victims. To conceal the survey's standard navigation elements and disclaimers, scammers insert invisible characters such as transparent emojis and punctuation marks to push these elements off-screen, ensuring victims only see the scam content. These surveys are then distributed via mass emails or hijacked website feedback forms, which lack sender verification, allowing the messages to bypass spam filters due to the legitimate yandex.com domain. Victims clicking the embedded links are directed to professional-looking scam sites, typically prize giveaways promising large cryptocurrency rewards but requiring upfront fees or personal information, leading to financial theft. The attackers benefit from free hosting and built-in analytics on the survey platform to track engagement and optimize campaigns. Although Yandex Surveys is scheduled to shut down shortly, this attack exemplifies a broader trend of abusing trusted platforms to evade detection and increase phishing success rates. The campaign has seen rapid scaling, with Kaspersky Premium blocking over 32,000 such emails in February 2026 alone, indicating aggressive expansion. The threat does not involve platform compromise but rather creative misuse of legitimate services, underscoring the need for heightened user awareness and advanced detection strategies.

This phishing scheme poses significant risks to organizations and individuals worldwide by facilitating credential theft, financial fraud, and potential malware infections if victims interact with malicious payloads. The use of legitimate domains to host phishing content undermines traditional email filtering and web reputation systems, increasing the likelihood of successful attacks. Financial losses can be substantial, especially in cryptocurrency scams where victims pay fees or disclose wallet credentials. The campaign's scalability and low cost enable widespread distribution, potentially affecting large user bases across sectors. Organizations may face increased incident response costs, reputational damage, and regulatory scrutiny if employees fall victim. Additionally, the tactic erodes trust in legitimate survey platforms, complicating genuine marketing and research efforts. Although the immediate threat from Yandex Surveys will diminish after its shutdown, the underlying method of abusing trusted services for phishing is likely to persist and evolve, necessitating ongoing vigilance.

Organizations should implement advanced email filtering solutions that incorporate behavioral and contextual analysis beyond domain reputation to detect phishing attempts using legitimate platforms. Security awareness training must emphasize skepticism toward unexpected emails, even those containing links to well-known domains, and instruct users to verify survey legitimacy by checking for unusual page layouts, disclaimers, and excessive empty space. IT teams should deploy web filtering policies that block access to known phishing URLs and monitor for unusual outbound traffic patterns indicative of phishing engagement. Employ multi-factor authentication to reduce the impact of credential compromise. Incident response plans should include procedures for rapid identification and containment of phishing incidents originating from trusted domains. Collaboration with survey platform providers to report abuse and request removal of fraudulent content can help reduce exposure. Finally, encourage users to verify survey requests through alternative communication channels before participation and avoid entering personal or financial information on unsolicited survey sites.