Attackers are using Microsoft Forms to exfiltrate data from enterprises

Attackers are using Microsoft Forms links to get past email URL protection and steal sensitive information. We were alerted to this new tactic by one of our clients in the financial services sector. They recently received a spear phishing email containing a Forms link.

In an attempt to protect firms from credential pharming and malware, several email security providers including Proofpoint, Mimecast and O365 Advanced Threat Protection re-write and scan URLs within emails to verify that the URL is safe to visit. The effectiveness of this approach has been questioned before, and now a new vulnerability involving the use of Microsoft Forms is being exploited by attackers.

How are they exploiting Microsoft Forms?

Microsoft Forms is an online tool for creating quizzes and surveys and automatically collecting the results. Forms were fully released to enterprise users of Office 365 in 2018.

Here's how they work.

You create a survey or quiz via Microsoft Forms and distribute it to your audience by embedding a link in an email. To fill out the form, a recipient will click the link within the email and be directed to a Microsoft Form containing fields that capture whatever data the form is designed to collect.

Crucially, because the links direct users to a genuine Microsoft site, Forms links are trusted by the URL protection from Secure Email Gateways and ATP.

Attackers have become aware of this and are now using authentic Microsoft Forms to collect sensitive information from unwitting targets. Any data input into the form is automatically sent to attackers, bypassing security defenses.

Source: Screen shot of a spear phishing attack using a Forms link sent to a Tessian client

Many enterprises have become overly reliant on URL protection to prevent spear phishing attacks. To make things worse, with URL protection in place, employees begin to trust the links they receive in their inbox and become less vigilant to attacks.

As attackers become more sophisticated they are finding simple ways to get past URL protection. Instead of focusing on the URL or on other payloads that can be sent in a spear phishing email, enterprises should aim to identify the actual impersonation behind the attack. This will not only reduce their vulnerability to attacks like this one, but also protect them from zero-payload attacks such as Business Email Compromise.

We have reported this attack to Microsoft and have recommended that unique client IDs are used in the Forms URLs to allow enterprises to build custom policies to warn users when the client IDs do not match. We will update you when we hear from Microsoft.

About Tessian

Tessian is building the world’s first Human Layer Security platform to fulfil our mission to keep the world’s most sensitive data and systems private and secure. Using stateful machine learning to analyze historical email data, Tessian’s Parallax Engine can predict for this user, at this point in time, does this email look like a security threat?

Book a demo to learn more about our email security platform.