Microsoft (formerly Office) Forms is part of the Microsoft 365 product suite, and is used to gather feedback and information via survey, quizzes and polls.
Threat actors often leverage email accounts of breached business partners and vendors to send out phishing emails. In these latest campaigns, the emails took the form of fake mail error notifications from Microsoft and bid invitations.
Users clicking on the provided links are taken to a Microsoft Form that contains another link that they are urged to follow to verify their accounts or view a “secured document”. The links take users to a Microsoft 365 or Adobe phishing page (not hosted by Microsoft).
Spot (and report) the phish
Phishing via Microsoft Forms is not a new trick. While Microsoft reacted to the threat by implementing automated phishing prevention to detect malicious password collection in forms and surveys, it’s obvious that it’s not always successful at recognizing malicious embedded links.
Detecting phishing emails is also hard, as these come from legitimate email accounts and lead to Microsoft Forms (forms.office.com), a site with a good reputation.
When these pass all existing protections, it is on users to spot the phish.
“Attackers enhance their forms’ credibility by using convincing page titles and known favicons. Favicons are small icons displayed in the browser tab, and by using Microsoft familiar icons, attackers increase the perceived legitimacy of their fake pages. These visual cues can easily trick users into believing they are on a genuine Microsoft site,” Perception Point researchers noted.
The usual advice of not clicking on links in unsolicited emails is unlikely to work in this case, but users should make it a habit to check the URL of every login page they unexpectedly land on before entering their credentials.
Malicious Microsoft Forms can be reported via the “Report abuse” option provided at the bottom of each one.
Source: HelpNetSecurity By: Zeljka Zorz, Editor-in-Chief, Help Net Security