According to Perception Point, cyber attackers are exploiting Microsoft Office Forms to execute sophisticated two-step phishing campaigns. These attacks trick users into revealing their Microsoft 365 (M365) credentials by leveraging the legitimate appearance of Office Forms, a platform typically used for creating surveys and quizzes.
How the Attack Works
Attackers craft legitimate-looking forms on Microsoft Office Forms, embedding malicious links designed to deceive recipients into divulging sensitive information. The process begins with an email that appears to be from a trusted source, such as a business partner or vendor, using a tactic known as "vendor email compromise" or "external account takeover." These emails often mimic familiar platforms like Adobe or Microsoft SharePoint, urging recipients to click on a link to change passwords or access important documents.
Once the user clicks the link, they are directed to a genuine-looking Office Form. This form includes another link, purportedly for viewing a document or completing a questionnaire, which instead redirects the user to a spoofed login page resembling a Microsoft 365 or Adobe account portal. The page is designed to harvest the user's credentials, completing the phishing attack.
The Two-Step Phishing Mechanism
The sophistication of these attacks lies in their two-step approach. The initial link, hosted on a reputable site like Office Forms, bypasses traditional security filters, exploiting the site's high reputation. Only when the user is redirected to the second link, the phishing page, does the malicious intent become clear.
Examples of such attacks include emails with Microsoft 365-themed error messages prompting users to restore their Outlook messages or view sensitive documents, often sent from compromised vendor accounts. This method enhances the perceived legitimacy of the phishing attempt, increasing the likelihood of success.
Challenges in Detection and Prevention
The use of legitimate platforms for the initial phishing attempt complicates detection efforts. Perception Point's researchers note that these attacks evade standard email security solutions because they originate from compromised, legitimate accounts. This familiarity increases trust and engagement from recipients, enhancing the attack's effectiveness.
Perception Point combats these sophisticated phishing campaigns with advanced object detection models. These models analyze webpages for clickable elements and simulate user interactions to uncover malicious content. By examining subsequent pages linked from initial benign-looking sites, this method ensures that any hidden threats are identified and neutralized.
Advice for Organizations
As cyber threats evolve, leveraging trusted platforms like Microsoft Office Forms for phishing campaigns poses significant challenges for cybersecurity. Organizations must stay vigilant and employ advanced detection technologies to protect against these increasingly sophisticated attacks.