Microsoft Forms being exploited by scammers

Blog

Thought Leadership

Microsoft Forms being exploited by scammers

Bear Huddleston

microsoft forms

Zix | AppRiver has been intercepting several campaigns that were using Microsoft Forms links. These links, which lead to a form asking for username and password of the target's email address could also lead to a critical breach of your emails and company.

But why Microsoft Forms? 

The scammers use these white assets in hopes of bypassing security filters and ultimately fool the recipient into thinking the link address is secured.  I covered other white assets such as OneDrive here.

Because knowledge is power, we will show you some examples of this scam as well as provide tips on how to spot them.

Roundcube Microsoft Forms

Undelivered Messages Email

This example informed the target that there were three outgoing emails waiting to be delivered. If that person would like to receive those emails, they would need to verify their information using the link below, a classic phishing strategy.

 

 

The URL, the scammer provided was a Microsoft Forms web address, and leads to the survey below:

Microsoft Forms used to collect the user Roundcube info

This survey is portrayed to be one from Roundcube, a common webmail server, and the form asks for ID and password. Note that the password field was label as "Roundcube Pas."  This is an attempt to avoid Microsoft Form spam alert.

 

Submission Page of Roundcube

After entering random characters in both fields and submitting the form, you would get this page.  No emails delivered, no verification message, nada..

Security Info Team Microsoft Forms

Notification of Undelivered Emails

In this example, the email informed the recipient that there was a "system delay" resulting in seven undelivered pieces of mail. They would need to release the email by going to the URL below. Just like above sample, the link lead to Microsoft Forms.

Another URL to Microsoft Forms

 

Warning about this form

 

Fortunately, Microsoft Forms did prompt a warning about providing sensitive information. This was most likely triggered because they correctly spelled "password" whereas the previous sample had is as "pas."

Security Info form to collect username and password

Similar to the first example, it asked for the email and password for the account. The warning sign was displayed at the top of the survey. Kudos to Microsoft.

Submission page of Security Info

 

After submission, the warning message still persisted.  Again, no delivered emails.

MORAL OF THE STORY

Microsoft Forms and other survey/form services are great at collecting information, but they also can be used for malicious intent to cause major harm to you and your business. If you come across any emails asking for sensitive information, always be on high alert. The best course of action is don't click on anything within the message - or, if you have suspicions from the beginning, do not open the email. Always report suspicious emails to your IT or email provider.

If you are an AppRiver customer, forward any suspicious emails to spam@appriver.com and our 24/7 trained cybersecurity specialists will review the email for you.

If you're not an AppRiver customer, contact us for a free trial of our Advanced Email Security