Cybercriminals are increasingly leveraging Microsoft Office Forms to launch sophisticated two-step phishing attacks, tricking users into divulging their Microsoft 365 (M365) login information. At present, certain individuals fall prey to these nefarious schemes, a testament to the attackers’ cunning use of familiar platforms. The technique, known as “external account takeover” or “vendor email compromise,” allows threat actors to infiltrate supply chains by compromising the email addresses of business partners and vendors. Consequently, these compromised accounts are exploited to make phishing emails appear legitimate, bypassing traditional email security solutions effectively.
Design Authentic-Looking Forms
Using Microsoft Office Forms, cyber attackers create forms that appear genuine while concealing malicious links within them. By doing so, they exploit the inherent trust that users place in Microsoft’s widely recognized and frequently utilized platforms. The forms are designed meticulously to mimic the look and feel of legitimate requests, such as those asking for password changes or access to critical documents. These malicious forms often incorporate familiar branding elements, including logos, colors, and layout styles that users associate with reputable companies like Adobe or Microsoft.
Perception Point’s security research team revealed that one of the primary reasons these phishing attempts are so effective is their ability to originate from compromised legitimate accounts, making them harder for email security solutions to detect. Attackers cleverly use these authentic-looking forms to mask harmful links, which leads unsuspecting users down a path toward credential theft. As sophisticated as these attacks are, they rely heavily on the gullibility of users who assume that a form hosted on a legitimate platform like Microsoft Office Forms must be trustworthy.
Send Bulk Emails
The forms are then distributed in large quantities via email, posing as legitimate requests like password changes or access to crucial documents. By sending these emails in bulk, cybercriminals maximize their chances of trapping unsuspecting victims. Typically, these phishing emails are carefully crafted to appear as routine business communications from credible sources. From a broad perspective, this phishing method capitalizes on the inherent trust employees have in their company’s communication channels and regular operations.
Recipients are more likely to be deceived as these emails ostensibly come from known senders or business partners. The email content is persuasive, often invoking a sense of urgency that prompts immediate action from the recipients. Examples include subject lines indicating a password expiry notice, an urgent document review request, or a crucial update requiring user action. This psychological manipulation creates a sense of immediacy, leading recipients to click on the included links without scrutinizing their authenticity.
Direct to Fake Login Page
When a user clicks the link, they are redirected to a counterfeit login page, such as an Adobe or Microsoft 365 account page, designed to capture login credentials. This redirection is a pivotal step in the two-step phishing attack process. Once on the fake login page, users are prompted to enter their credentials, believing they are accessing a legitimate service. The pages are often indistinguishable from the real ones, featuring accurate branding, typography, and layout that replicate the original platforms.
The sophistication of these fake login pages is a critical factor in the success of the phishing attack. Attackers employ various techniques to make the fake pages look credible. They utilize cascading style sheets (CSS) and other web development tools to ensure that every detail mirrors those of the original login pages. This level of meticulousness in design aims to ensure that even tech-savvy individuals might be fooled into providing their credentials. Once the credentials are entered, the attackers then capture and misuse them, often leading to further unauthorized access and potential data breaches.
Utilize Realistic Icons and Titles
Attackers use recognizable favicons and engaging page titles to enhance the authenticity of their forms. Favicons are small icons displayed in the browser tab, and by using Microsoft-related icons, attackers increase the credibility of their fake pages. The visual cues such as Microsoft’s signature icons or Adobe’s familiar logos play a crucial role in lowering the guard of the victims. These icons act as trust anchors, making the entire phishing attempt appear legitimate and harmless.
Additionally, the page titles are crafted to mimic those used by authentic Microsoft or Adobe pages. For example, a fake Microsoft login page might display a title like “Microsoft Account Sign-In” or “SharePoint Document Viewer,” compelling users to think they are on a secure, verified site. By manipulating the visual and textual elements of the web pages, attackers achieve a convincing level of legitimacy. This tactic significantly enhances the success rate of their phishing campaigns, as users seldom examine the finer details of the web pages they interact with, especially when the overarching visual cues denote a trusted platform.
Execute Two-Step Phishing Attack
This is a dual-phase phishing attack where the attacker first takes advantage of well-known platforms like Office Forms or Canva. Step two occurs when the user clicks another link on the legitimate site that redirects them to a fake page to steal credentials. Initially, the user is led to a familiar platform, which establishes a sense of security and trust. This trust is subsequently exploited when the user is asked to click a secondary link that redirects them to a fraudulent page.
In this second phase, the fake login page seamlessly integrates elements from the initial trusted platform. For instance, a user might first interact with an Office Form seemingly hosted by Microsoft, only to be redirected to a counterfeit Microsoft 365 login page after clicking a link. The complexity of this two-step process makes it incredibly challenging for traditional security measures to detect and prevent these attacks. The initial interaction on a legitimate platform often bypasses security filters, and by the time the user is redirected to the fraudulent page, it is often too late to thwart the attack.
Advanced Detection Model
Researchers suggest an advanced object detection model that screens every webpage, identifies clickable elements, and mimics the victim’s actions. This approach detects and prevents malicious payloads even if the initial link appears benign. By incorporating advanced machine learning algorithms and AI-powered detection techniques, cybersecurity teams can enhance the robustness of their defense mechanisms. This model essentially automates the task of scrutinizing each webpage’s content and structure, identifying potential threats embedded deep within them.
The object detection model works by systematically screenshotting webpages and evaluating their interactive elements. If any malicious elements are detected during this simulated user interaction, the threat is neutralized immediately. This sophisticated approach ensures that even if the phishing attempt is concealed behind a seemingly harmless link on a trusted platform, it can still be identified and blocked before causing any real damage. The key advantage here is the model’s ability to simulate user engagement, which exposes hidden threats that might otherwise evade detection through conventional security measures.
Evade Email Gateways
Two-step phishing attacks evade detection by leveraging compromised legitimate accounts, making it challenging for email security solutions to flag the emails as malicious. Trust and interaction are more likely with emails from known senders. Initially, the link in the email directs to a reputable website, which helps bypass security filters. The true malicious intent is revealed only in the subsequent stage of the attack, significantly increasing its chances of success.
This evasion technique exploits the gap in traditional email security measures that primarily focus on identifying malicious content within the original email. By using compromised accounts, attackers add a layer of deception that lends credibility to their emails. These emails are less likely to raise suspicion as they appear to come from trusted sources within the organization or the business network. This aspect of the attack underscores the importance of using comprehensive security solutions that can analyze and monitor beyond the superficial email content, focusing on the overall behavior and context of the communications.
Security Recommendations
Cybercriminals are increasingly using Microsoft Office Forms to execute sophisticated two-step phishing attacks, deceiving users into giving up their Microsoft 365 login credentials. Currently, several victims are falling for these schemes, highlighting the cunning strategy of attackers who leverage familiar platforms. This technique, referred to as “external account takeover” or “vendor email compromise,” enables malicious actors to infiltrate supply chains by compromising the email addresses of business partners and vendors. Once these accounts are compromised, attackers use them to send phishing emails that appear legitimate, effectively bypassing traditional email security measures. These phishing emails often lure recipients into clicking malicious links or downloading harmful attachments, further enabling cybercriminals to gain unauthorized access to sensitive information and systems. The prevalence of these attacks underscores the importance of robust cybersecurity measures and heightened vigilance among users to prevent compromising sensitive data and falling victim to these deceptive schemes. Businesses must prioritize educating employees about recognizing phishing attempts and implementing advanced security protocols to mitigate such risks.