Threat actors are abusing Google Docs Forms as part of cyber campaign to steal Office 365 credentials.
Security experts from security firm Cofense spotted an increase in phishing campaigns targeting Office 365 email users in the past couple of weeks. The bad actors used Google Docs Forms to trick victims into “Updating their Office 365” credentials.
How did they do it?
According to the Cofense, the threat actor likely stole an email account with privileged access to finance firm CIM Finance. They then used the compromised account to send out phishing emails that would pass email security checks (e.g., DKIM and SPF).
“This threat actor set up a staged Microsoft form hosted on Google that provides the authentic SSL certificate to entice end recipients to believe they are being linked to a Microsoft page associated with their company,” Kian Mahdavi of Cofense said in a blog post.
However, the fake Microsoft page is instead linked to an external website hosted by Google.
Also, the email includes a notification from “IT corporate team” and urges users to “update your Office 365” (account) that has expired. It is also worth noting the login page looks suspicious as a “substandard imitation.”
Once victims enter their credentials into the fake Office 365 login page, the credentials are then passed along to the cybercriminals via Google Drive.