Phishing Attacks Abuse Microsoft Office Surveys

July 24, 2019 | by David Pickett | microsoft 365, advanced email security, phishing

Phishing Attacks Abuse Microsoft Office Excel & Forms Online Surveys

While many malicious attackers have been busy exploiting Microsoft Azure to launch phishing and malware attacks, lesser skilled actors have increasingly turned to Microsoft Excel or Forms online surveys. It's extremely easy to craft a malicious phishing site using the built-in survey template that Microsoft provides. Deploying a phishing kit that was created by others is fairly easy for many enterprising phishers, however, anyone can craft a malicious survey form using one of the Excel or Forms survey templates in a matter of minutes.

During the past couple of months, we've seen a daily increase in attackers adopting this method. Our advanced email security filter is capturing new variants daily. Users should be very cautious of any unsolicited link to forms.office.com or onedrive.live.com, these legitimate Microsoft sites are being abused for these attacks.

How the Attack Works

Microsoft provides templates for Excel and Forms online services which run the full spectrum of options. A few examples are monthly budgets, project timelines, daily schedules, timesheets, or even workout logs. These templates are extremely handy for maximizing efficiency when working with various forms of data, however, attackers are enjoying the online survey template as an option for creating phishing attacks. All they have to do is create a survey corresponding to whatever scam email they would like to send. Since attackers can populate these survey templates with any question they wish, they will try to obtain the recipient's email address and password or some other type of personally identifiable information they will use for follow-up attacks. 

The more popular phishing themes via this method purport unread voicemails, mail quotas being exceeded, unpaid invoices, and mailbox sync errors. However, the possibilities are only limited by the attacker's creativity. Some attackers also have resorted to .html attachments to embed the phishing site link inside, instead of just placing it inside the email body.  To create these surveys, Microsoft provides instructions on their support site (linked here): Excel Online or Forms Online. We were able to create a simple test example in under 5 minutes.

 

Phishing Examples

  • Human Resources Survey Attack

Phishing Example - Human Resource Survey

 

Phishing site hosted on Microsoft's onedrive.live.com this Human Resources Survey Link Directs To - 

Phishing Site - Hosted on Microsoft

 

  • Education Article Download Attack Email

Phishing Email - Education Article Download

The Phishing site hosted on Microsoft's onedrive.live.com this Education Article Link Attack Leads To -

Phishing Site - Hosted on Microsoft

 

  • Forms Online Test Attack Example

The test example below is one we quickly created using Microsoft Forms.  It can be abused similar to the Excel attacks pictured above.

Forms Online Attack - Test Example

 

 

Contact us today for a free trial of our Advanced Email Security