Cybercriminals are increasingly using Microsoft Office Forms to launch sophisticated two-step phishing attacks. At present, certain individuals are being tricked into divulging their Microsoft 365 (M365) login information through Office Forms.

Threat actors use the technique known as “external account takeover” or vendor email compromise to launch two-step phishing attacks throughout supply chains, using the email addresses of compromised business partners and vendors.

“The attack originates from compromised legitimate accounts, making it difficult for email security solutions to flag the emails as malicious”, Perception Point’s security research team report shared with Cyber Security News.

Perception Point published a free guide to prevent Vendor Email Compromise (VEC), one of the most challenging threats to detect and prevent. In 2023, VEC attacks grew by 350% compared to the previous year.

How the Attack is Executed?

Using Microsoft Office Forms, attackers design forms that appear legitimate while hiding harmful links within them. 

Then, in an attempt to impersonate reputable websites and brands like Adobe or Microsoft Sharepoint document viewer, these forms are bulk-emailed to targets pretending to be legitimate requests like password changes or access to critical documents.

Two-step phishing campaign exploiting Microsoft Office Forms (Source: perception point)

The form asks the user to click a link to view the document and complete the questionnaire; it looks to be authentic and is located on a reliable website.

Here is an email with a link to a Microsoft Office form sent to the victim.

A sample M365-looking error message prompts users to restore their Outlook messages.

Malicious URL disguised as a necessary step for M365 authentication on Office Form When a user clicks the link, they are taken to a fake login page, such as an Adobe or Microsoft 365 account page, intended to collect login credentials.

According to the Perception Point, Attackers use well-known favicons and enticing page titles to increase the legitimacy of their forms. Favicons are small icons that appear in the browser tab, and by exploiting Microsoft-related icons, attackers boost the apparent authenticity of their fake pages. 

With the legitimate https://forms.office.com URL, the attackers can create a convincing “look and feel” of a Microsoft page.

This is a two-step phishing attack since the attacker first exploits the well-known websites Office Forms, Canva, and several others for their benefit. 

Step two is when the user clicks on another link on the legitimate website, which takes them to a fake page where credentials are being stolen.

An additional variation detected by Perception Point mimics Adobe on the two step’s phishing login page.

Adobe phishing page (Credits: Perception point)

Researchers recommended an advanced object detection model to thwart phishing attacks that involve two steps. This model mimics the victim’s engagement by screenshotting every webpage and identifying clickable elements. 

This method ensures that any malicious payload is identified and prevented in later stages, even if the original link seems harmless.

What is it Evades Gateways?

Two-Step Phishing attacks evade detection by using compromised legitimate accounts, which makes it hard for email security solutions to recognize the emails as malicious.

Recipients are more likely to trust and interact with emails from familiar senders. Initially, the link in the email directs to a reputable website, which helps bypass security filters.

The malicious activity is only revealed in the second stage, where the phishing attempt occurs, increasing the attack’s chances of success.

Ensuring Security Against the Attack

Users should exercise caution when receiving emails that ask for their credentials to protect themselves from this phishing campaign. Here are a few suggestions to ensure your safety:

  • Safeguard your business emails with the advanced protection of AI-Powered Email Security.
  • It is important to exercise caution when receiving emails that request your login information, even if they seem to come from a reputable sender.
  • It is important to always verify the authenticity of an email by directly contacting the sender.
  • It is important always to exercise caution when entering your credentials online. To ensure the security of your data, only provide your information on websites that have a valid SSL certificate.
  • Enhance the security of your account by implementing two-factor authentication (2FA).
  • Ensure that your software and operating system are always updated by installing the latest security patches.
  • The two-step phishing campaign exploiting Microsoft Office forms is a highly advanced attack that can result in significant repercussions. By staying informed about potential attacks and taking necessary precautions, you can effectively safeguard yourself against falling prey to this phishing campaign.
  • It is important to exercise caution when you receive emails asking for your login information. Always be wary of entering your credentials on a website that does not have a valid SSL certificate.

This article first appeared in Cyber Security News, written by Balaji N on July 27, 2024.