Phishing Attackers are using Microsoft Forms for a very clever and plausible spear phishing attack. The attacks started around December 2018, and this has been a fairly successful campaign.
Uses receive the following email, or something very similar;
This is often from an internal source or a known contact, will contain a signature and be from the correct email address. To the user this is a legitimate email. The issue is that the source of the email has already been compromised. This makes it very difficult for security tools to identify.
The attachment in this is called ‘Scan Copy – 17272189.pdf’ we’ve also seen attachments called ‘Invoice xxxxx’ or ‘Document xxx’ however they are not actual attachments just a picture meant to look like one.
Clicking on the ‘attachment’ takes you through to a web page that has been designed using Microsoft Forms. Using forms, the attackers have been able to produce an official looking form, with an ‘office.com’ URL. Again, this really assists in the credibility, for both the user and any security programme. A Microsoft URL looks very legitimate.
Spotting The Scam
However, once you start to look more carefully you can spot the tell-tale signs of a scam
- The logo is for forms, but the text says OneDrive
- The URL is forms.office.com but everything else says OneDrive
- The password box says ‘enter your answer’ rather than ‘enter your password’. This indicates this is a question box, not a password entry box.
- There is a warning not to give out your password directly under the box asking you to click submit after you’ve entered your password!
- Finally, you are informed that the data you enter will go directly to the owner of the form. If this was legitimate it would more likely say that the data would go to Microsoft.
A further indicator is that the Password entry box is plain text.
As you’ll no doubt be aware password boxes normally replace the text as you write, such as the example we’ve shown.
The Objective of The Attacks
Once the attackers have gained control of an Office 365 account, current observations suggest that they then actively search through the victims e-mails looking for any conversations in regards to finance and payments. The goal appears to be to either intercept an ongoing conversation and convince the users that there has been an issue at one of the recipients ends, or the payment chain and bank details need to be updated. Alternatively, the attackers look to identify someone on the original victims contacts list that deals with finances to further spread the malicious links in the hope of getting a foothold in that area.
There is no evidence at this stage the attackers have any interest in gaining access to the network or delivering ransomware. Although clever in its use of forms.microsoft to add legitimacy to the login page this is still very much a basic phishing attack