Get a FREE personalised SASE assessment from Netskope! If you think that Google Forms is the only the cloud-based survey service that can be exploited for Cloudphishing, you will be disappointed. The Microsoft 365 Suite has a similar service called Microsoft Forms that offers cyber criminals the same flexibility and simplicity in launching phishing campaigns as its Google counterpart. The screenshot below gives an idea of the flexibility of the service. In this example Microsoft Forms has been used to host a fake ‘Microsoft Team’ (note the missing s) login page: |
|
|
|
Figure 1: Fake Microsoft Teams login page built on Microsoft Forms In a recent phishing campaign discovered by Abnormal Security, the threat actors jumped on the COVID-19 bandwagon, impersonating the U.S. Small Business Administration to steal the credentials of victims who believed they were applying for a Paycheck Protection Program (PPP) loan, one of the US Coronavirus financial relief schemes to help small businesses during the COVID-19 crisis. At the time of writing, the page was still online despite it being several days since the attack campaign was discovered. (See: https://urlscan.io/result/ |
|
|
|
Figure 2: Fake application for a Paycheck Protection Program (PPP) loan As we have discussed several times, Cloud services are the ideal weapon to launch phishing attacks since they:
Threat Mitigation Netskope Next Generation Secure Web Gateway provides granular visibility for Microsoft Forms, Google Forms and thousands of cloud applications (besides the web traffic), allowing the enforcement of DLP & threat protection. In this specific case it is possible to create a simple DLP policy that prevents the submission of a specific info inside the rogue form. The following policy warns users if they are submitting a corporate domain (dummy.com) into an unrecognized Microsoft Forms page. The domain “dummy.com” is the custom identifier used in the “DLP-Phishing” custom profile. Of course it is possible to use a more sophisticated DLP profile, combining one or more custom identifiers with any of the 3,000 predefined ones, and also to enforce a more restrictive block action. |
|
|
|
Figure 3: Example of a DLP Policy on Google Forms This is the result for the page of the PPP example: |
|
|
|
Figure 4: Block of the fake PPP loan application page And the outcome is not different in case of the Microsoft Team(s) page: |
|
|
|
Another example of real-world campaign which can be mitigated by our Next Generation SWG. Stay safe, |