Cybercrooks Employ Google Forms to Extract Login Credentials From Unsuspecting Office 365 Users

Barring a few exceptions, attacking an organization has the potential to be much more profitable than attacking a home user. Business enterprises have a lot more to lose. They process company and customer data that they don't want to see compromised, and for the most part, they know that getting their systems hacked could have major consequences. In light of this, you might think that successfully hacking a business organization requires a lot more sophistication. A recent phishing campaign that Cofense wrote about, however, shows that this is not always the case.

Office 365 users targeted by a phishing campaign

Cofense's experts said that they have seen a notable increase in the number of phishing emails aimed at Office 365 users working for businesses of all shapes and sizes. The campaign they examined more closely started with another attack.

The crooks somehow managed to compromise an email account of a person working for CIM Finance, a financial services company. After the initial attack, the criminals used CIM Finance's systems to send out a large number of phishing emails, and the fact that the messages were coming from a real company helped them pass through anti-spoofing checks like DKIM and SPF.

The emails themselves purportedly come from an "IT corporate team" that is alerting the recipient about the expiration of their Office 365 account. The message states that the user must update their password if they don't want to see their account suspended. As you might have guessed already, the "Update Now" button leads to a page that is not connected to Office 365 in any way.

Instead, the victims see a login page created with Google Forms that masquerades as Microsoft's own and asks the user for their credentials. Anything entered into the fields is sent to the crooks with the help of another free service offered by the world's favorite search engine giant – Google Drive.

A crude attack that could be very effective

The crooks didn't put a lot of effort into the attack. The fact that they start off by compromising an account at a legitimate company might fool you into thinking that they know what they're doing, but overall, they haven't shown the level of sophistication that you might have expected from a group of criminals trying to attack business users.

By using Google Forms to put together the phishing page, for example, the crooks probably managed to save a few bucks, but this did nothing to make the scam look more legitimate. Indeed, a page served by a Google service will display a green lock icon in the address bar, which might just fool some people. Then again, less lazy phishers install SSL certificates on their carefully crafted phishing kits anyway, so this is not much of an advantage.

The bogus login form was described as "substandard" by Cofense's researchers, which isn't really a surprise considering the limitations Google Forms has. The experts said that the layout is far from convincing and that some formatting and capitalization errors give the scam away pretty quickly. The fact that when a user enters their password in the field, it comes out as plain text is sure to set off quite a few alarm bells as well. Or will it?

Without a shadow of a doubt, this is far from the most sophisticated phishing attack, but the mere fact that it exists shows that the crooks are betting on its success. Any phishing campaign relies on people's failure to spot the sometimes obvious signs of a scam, and the terabytes upon terabytes of stolen usernames and passwords that get traded on the underground markets every day show that this happens more often than it should. No attack, no matter how poorly executed it might look, should be underestimated.