Netskope: Cloud Threats Memo (Cloudphishing)

Get a FREE personalised SASE assessment from Netskope!

If you think that Google Forms is the only the cloud-based survey service that can be exploited for Cloudphishing, you will be disappointed. The Microsoft 365 Suite has a similar service called Microsoft Forms that offers cyber criminals the same flexibility and simplicity in launching phishing campaigns as its Google counterpart.

The screenshot below gives an idea of the flexibility of the service. In this example Microsoft Forms has been used to host a fake ‘Microsoft Team’ (note the missing s) login page:

Figure 1: Fake Microsoft Teams login page built on Microsoft Forms

In a recent phishing campaign discovered by Abnormal Security, the threat actors jumped on the COVID-19 bandwagon, impersonating the U.S. Small Business Administration to steal the credentials of victims who believed they were applying for a Paycheck Protection Program (PPP) loan, one of the US Coronavirus financial relief schemes to help small businesses during the COVID-19 crisis.

At the time of writing, the page was still online despite it being several days since the attack campaign was discovered. (See: https://urlscan.io/result/e53958b4-294d-47f7-94c6-e1843f19d510/).

Figure 2: Fake application for a Paycheck Protection Program (PPP) loan

As we have discussed several times, Cloud services are the ideal weapon to launch phishing attacks since they:

Can evade email security gateways because the URL in the email body belongs to a legitimate service
Are trusted by users who recognize a domain belonging to a legitimate organization and a valid certificate (even if the page layout is very simple and include specific warnings not to submit passwords)
Let the attackers build phishing pages very quickly and move them across different instances without all the additional tasks involved with “traditional” hosting.

In the current landscape there are also some additional factors that, if possible, make the picture even worse:

The remote workforce has increased exponentially since the beginning of the pandemic. Users now consider cloud services essential tools for their work (it’s no coincidence that the first example of cloudphishing simulates a Microsoft Team(s) login page), and simultaneously use both work and personal instances of cloud services such as email and storage on their device.
These campaigns exploit the COVID-19 urgency to lure the victims.

Threat Mitigation

Netskope Next Generation Secure Web Gateway provides granular visibility for Microsoft Forms, Google Forms and thousands of cloud applications (besides the web traffic), allowing the enforcement of DLP & threat protection.

In this specific case it is possible to create a simple DLP policy that prevents the submission of a specific info inside the rogue form. The following policy warns users if they are submitting a corporate domain (dummy.com) into an unrecognized Microsoft Forms page. The domain “dummy.com” is the custom identifier used in the “DLP-Phishing” custom profile.

Of course it is possible to use a more sophisticated DLP profile, combining one or more custom identifiers with any of the 3,000 predefined ones, and also to enforce a more restrictive block action.