An uptick in phishing attempts using a fake and badly created Office 365 credentials update form is taking place, according to a new Cofense report.
Not only is the form, which is linked to in the email, riddled with typos and capitalization errors, but it is actually a Google Forms fdocs form. Something Microsoft is unlikely to use under any circumstances.
The Cofense Phishing Defense Center found the malicious actors did go to great lengths in some respects to make their scam appear legitimate. The email itself originates from a real company, the financial services provider CIM Finance, and they used the CIM Finance website to host the emails to help bypass basic email security checks.
An additional elusive step is to use Google so the doc has an authentic SSL certificate so the recipients will believe they are being linked to a Microsoft page. However, the URL links to an external Google page.
The email claims to be from the IT corporate team and states the person’s Office 365 account has expired and unless the individual clicks the link and updates the account it will be suspended.
At this point all the professionalism employed by the attackers disappears.
“Upon clicking the link, the end user is presented with a substandard imitation of the Microsoft Office365 login page, as seen in figure 3, that does not follow Microsoft’s visual protocol. Half the words are capitalized, and letters are replaced with asterisks; examples include the word ‘email’ and the word ‘password.’ In addition, when end users type their credentials, they appear in plain text as opposed to asterisks, raising a red flag the login page is not real,” Cofense said.
Since this is a Google doc, once the information is entered it becomes available to the docs’ creator.