Attackers are using Microsoft Forms links to get past email URL protection and steal sensitive information. We were alerted to this new tactic by one of our clients in the financial services sector. They recently received a spear phishing email containing a Forms link.
In an attempt to protect firms from credential pharming and malware, several email security providers including Proofpoint, Mimecast and O365 Advanced Threat Protection re-write and scan URLs within emails to verify that the URL is safe to visit. The effectiveness of this approach has been questioned before, and now a new vulnerability involving the use of Microsoft Forms is being exploited by attackers.
Microsoft Forms is an online tool for creating quizzes and surveys and automatically collecting the results. Forms were fully released to enterprise users of Office 365 in 2018.
You create a survey or quiz via Microsoft Forms and distribute it to your audience by embedding a link in an email. To fill out the form, a recipient will click the link within the email and be directed to a Microsoft Form containing fields that capture whatever data the form is designed to collect.
Crucially, because the links direct users to a genuine Microsoft site, Forms links are trusted by the URL protection from Secure Email Gateways and ATP.
Attackers have become aware of this and are now using authentic Microsoft Forms to collect sensitive information from unwitting targets. Any data input into the form is automatically sent to attackers, bypassing security defenses.
Many enterprises have become overly reliant on URL protection to prevent spear phishing attacks. To make things worse, with URL protection in place, employees begin to trust the links they receive in their inbox and become less vigilant to attacks.
As attackers become more sophisticated they are finding simple ways to get past URL protection. Instead of focusing on the URL or on other payloads that can be sent in a spear phishing email, enterprises should aim to identify the actual impersonation behind the attack. This will not only reduce their vulnerability to attacks like this one, but also protect them from zero-payload attacks such as Business Email Compromise.
We have reported this attack to Microsoft and have recommended that unique client IDs are used in the Forms URLs to allow enterprises to build custom policies to warn users when the client IDs do not match. We will update you when we hear from Microsoft.