Researchers are warning users to be on the lookout for form-based phishing attacks whereby scammers abuse or imitate branded file-sharing, content-sharing and productivity websites in order to trick users into giving up their credentials or their account access.

In a blog post on Thursday, Barracuda Networks says that from January through April 2020, these form-based attacks most often impersonated Google and Microsoft services, and comprised four percent of all spear phishing attacks — with 24,508 such incidents taking place in April alone.

Cybercriminals leveraged branded Google file sharing and storage websites (e.g. storage.googleapis.com and docs.google.com) 65 percent of the time, and Microsoft (e.g. onedrive.live.com, sway.office.com and forms.office.com) 13 percent of the time. Other impersonated site brands included sendgrid.net, mailchimp.com and formcrafts.com (2%) and more.

Barracuda described three varieties of attack. For the first method, attackers craft emails containing a link to a legit file-sharing site containing a picture that includes its own link. This second link leads to a phishing site.

The second method involves attackers abusing a legitimate branded web service in order to create an online form that impersonates a legitimate company’s login page. The adversaries then send prospective victims an email with a link to this fraudulent form. “These impersonation attacks are difficult to detect because they contain links pointing to legitimate websites that are often used by organizations. However, services that request account verification or password changes do not normally use these domains,” Barracuda warns.

Finally, the third attack technique involves sending a phishing email with a link to what appears to be a login page. “However, the link contains a request for an access token for an app,” the Barracuda report explains. “After login credentials are entered, the victim is presented with a list of app permissions to accept. By accepting these permissions, the victim is not giving up passwords to attackers, but rather grants the attacker’s app an access token to use the same login credentials to access the account.”

“Attacks like these are likely to go unnoticed by users for a long time. After all, they used their credentials on a legitimate website. Even two-factor authentication will do nothing to keep attackers out because their malicious app was approved by the user to access accounts,” the report continues.

To combat this threat, Barracuda recommends in-box defense that leverage AI-based email defenses, adopt multi-factor authentication, monitor against account takeovers, and improve user security awareness.