Summary: This content discusses a recent increase in phishing campaigns utilizing Microsoft Forms to deceive users into revealing their Microsoft 365 login credentials. The campaigns leverage legitimate-looking emails and forms to trick targets into visiting fraudulent sites.
Threat Actor: Unknown | unknown
Victim: Individuals and organizations using Microsoft 365 | Microsoft 365
Key Point :
- Phishing emails impersonate Microsoft and often originate from compromised accounts of business partners.
- Users are directed to malicious Microsoft Forms that lead to phishing pages mimicking Microsoft 365 and Adobe.
- Attackers enhance credibility by using familiar page titles and favicons, making it difficult for users to identify the scam.
- Microsoft has implemented automated phishing prevention, but it is not always effective against these sophisticated attacks.
- Users are advised to verify URLs before entering credentials and report any suspicious forms using the “Report abuse” option.
There has been an uptick in phishing campaigns leveraging Microsoft Forms this month, aiming to trick targets into sharing their Microsoft 365 login credentials.
A malicious Microsoft form (Source: Perception Point)
Malicious forms leading to phishing pages impersonating Microsoft 365 and Adobe
Microsoft (formerly Office) Forms is part of the Microsoft 365 product suite, and is used to gather feedback and information via survey, quizzes and polls.
Threat actors often leverage email accounts of breached business partners and vendors to send out phishing emails. In these latest campaigns, the emails took the form of fake mail error notifications from Microsoft and bid invitations.
Users clicking on the provided links are taken to a Microsoft Form that contains another link that they are urged to follow to verify their accounts or view a “secured document”. The links take users to a Microsoft 365 or Adobe phishing page (not hosted by Microsoft).
Spot (and report) the phish
Phishing via Microsoft Forms is not a new trick. While Microsoft reacted to the threat by implementing automated phishing prevention to detect malicious password collection in forms and surveys, it’s obvious that it’s not always successful at recognizing malicious embedded links.
Detecting phishing emails is also hard, as these come from legitimate email accounts and lead to Microsoft Forms (forms.office.com), a site with a good reputation.
When these pass all existing protections, it is on users to spot the phish.
“Attackers enhance their forms’ credibility by using convincing page titles and known favicons. Favicons are small icons displayed in the browser tab, and by using Microsoft familiar icons, attackers increase the perceived legitimacy of their fake pages. These visual cues can easily trick users into believing they are on a genuine Microsoft site,” Perception Point researchers noted.
The usual advice of not clicking on links in unsolicited emails is unlikely to work in this case, but users should make it a habit to check the URL of every login page they unexpectedly land on before entering their credentials.
Malicious Microsoft Forms can be reported via the “Report abuse” option provided at the bottom of each one.
Source: https://www.helpnetsecurity.com/2024/07/29/microsoft-365-phishing-forms