Clever Phishing Attacks using Microsoft Forms Detected by Graphus

January 21, 2020

Microsoft Forms, formerly known as Office Forms, is an online survey tool that is part of the Microsoft Office 365 product suite. It’s a relatively new product which allows for the creation of surveys, polls, and quizzes. It can be a fantastic way to collect customer feedback, measure employee satisfaction, and much more. It can also be a great way for attackers to steal employee credentials.

Below is a Microsoft Forms page used to look like a Microsoft Office365 login screen. Only problem, this is a phishing attack.


Pretty difficult to tell from first glance, right? The attacker has done a great job of making this look just like a legitimate login screen. And if an employee at your organization received a message with a link to this page, there is a good chance they would enter their credentials.

Just think about a busy employee receiving an email requesting them to login to their Office365 account to view important customer information, or view responses to an employee satisfaction survey or whatever else the fraudster may have said in the email. The recipient views this screen and thinks to themselves, the URL looks correct. It’s says…., which is a trusted, legitimate URL. It can’t be a phishing attack. So they enter their credentials. Now the entire organization is compromised.


Attackers are using Microsoft Forms because it’s easier to setup than having to create a new website (ie purchase a domain, hosting, and SSL certificate) and it is already coming from a “trusted” source, a Microsoft Forms site. For some security tools, this is all it takes to make it through existing security protocols and into the inbox of the recipient(s) – a trusted site which passes SPF. Other security tools are a little more sophisticated and look at the text in the message or website(s) from any URLs in the email and look for suspicious fields. When it comes to getting past these tools, grammar can be an important strategy. Fields that say “Email-address” and “Pass-word” versus “Email address” and “Password” don’t always trigger as a suspicious message because they are looking for the specific spelling, such as “Email”, “Email address”, or “Password”. Attackers know this and look for creative ways to get past these text-based detection algorithms. Instead of hyphens, attackers might put a space between each letter (ie P A S S W O R D), replace an “O” with a zero (ie Passw0rd), or many other variations.

Graphus® doesn’t simply rely on these basic detection mechanisms to make a determination as to whether a message is an attack or not. Our patented AI, the TrustGraph®, uses complex detection algorithms to identify highly sophisticated attacks such as the Microsoft Forms attack listed above. For this particular customer, they leverage Microsoft Advanced Threat Protection (ATP) however they received nearly 20 of these attacks in a single day that slipped right by ATP, all of which were detected instantly by Graphus®.