An uptick in
phishing attempts using a fake and badly created Office 365 credentials update
form is taking place, according to a new Cofense report.

Not only is
the form, which is linked to in the email, riddled with typos and
capitalization errors, but it is actually a Google Forms fdocs form. Something
Microsoft is unlikely to use under any circumstances.

The Cofense
Phishing Defense Center found the malicious actors did go to great lengths in
some respects to make their scam appear legitimate. The email itself originates
from a real company, the financial services provider CIM Finance, and they used
the CIM Finance website to host the emails to help bypass basic email security
checks.

An
additional elusive step is to use Google so the doc has an authentic SSL
certificate so the recipients will believe they are being linked to a Microsoft
page. However, the URL links to an external Google page.

The email
claims to be from the IT corporate team and states the person’s Office 365
account has expired and unless the individual clicks the link and updates the
account it will be suspended.

At this
point all the professionalism employed by the attackers disappears.

“Upon
clicking the link, the end user is presented with a substandard imitation of
the Microsoft Office365 login page, as seen in figure 3, that does not follow
Microsoft’s visual protocol. Half the words are capitalized, and letters are
replaced with asterisks; examples include the word ‘email’ and the word
‘password.’ In addition, when end users type their credentials, they appear in
plain text as opposed to asterisks, raising a red flag the login page is not
real,” Cofense said.

Since this
is a Google doc, once the information is entered it becomes available to the
docs’ creator.