Microsoft 365 users targeted by phishers abusing Microsoft Forms

There has been an uptick in phishing campaigns leveraging Microsoft Forms this month, aiming to trick targets into sharing their Microsoft 365 login credentials.

Microsoft 365 phishing forms

A malicious Microsoft form (Source: Perception Point)

Malicious forms leading to phishing pages impersonating Microsoft 365 and Adobe

Microsoft (formerly Office) Forms is part of the Microsoft 365 product suite, and is used to gather feedback and information via survey, quizzes and polls.

Threat actors often leverage email accounts of breached business partners and vendors to send out phishing emails. In these latest campaigns, the emails took the form of fake mail error notifications from Microsoft and bid invitations.

Users clicking on the provided links are taken to a Microsoft Form that contains another link that they are urged to follow to verify their accounts or view a “secured document”. The links take users to a Microsoft 365 or Adobe phishing page (not hosted by Microsoft).

Spot (and report) the phish

Phishing via Microsoft Forms is not a new trick. While Microsoft reacted to the threat by implementing automated phishing prevention to detect malicious password collection in forms and surveys, it’s obvious that it’s not always successful at recognizing malicious embedded links.

Detecting phishing emails is also hard, as these come from legitimate email accounts and lead to Microsoft Forms (forms.office.com), a site with a good reputation.

When these pass all existing protections, it is on users to spot the phish.

“Attackers enhance their forms’ credibility by using convincing page titles and known favicons. Favicons are small icons displayed in the browser tab, and by using Microsoft familiar icons, attackers increase the perceived legitimacy of their fake pages. These visual cues can easily trick users into believing they are on a genuine Microsoft site,” Perception Point researchers noted.

The usual advice of not clicking on links in unsolicited emails is unlikely to work in this case, but users should make it a habit to check the URL of every login page they unexpectedly land on before entering their credentials.

Malicious Microsoft Forms can be reported via the “Report abuse” option provided at the bottom of each one.

OPIS OPIS

OPIS

Don't miss