Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Outlook Forms (forms.outlook.com) SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Outlook Forms (forms.outlook.com)
It occurred to me that---thinking like an attacker---forms.outlook.com would be a very effective means of attacking a company (in particular). I tested this theory, successfully, this morning.

1. create a Microsoft account
2. sign-up for forms.outlook.com
3. create a form that emulates an RFP (Request For Proposal) or training-related form or company survey or...
4. spoof a targeted company email address (pose as a CEO or CIO or HR or..)
5. target various employees (obtained through obvious social media sources)
6. paste the LEGIT form link in the email and send out

Endpoint protection would not detect it as hostile; email firewalls would not detect it as hostile (they would stop it if there is sufficient MX/SPF/domain checking in-place, but many companies do not have this in-place); Internet protection (like Umbrella or Zscaler) would not detect it as hostile. Essentially, an attacker would be using a legit Microsoft service/app to obtain whatever information he/she wants. Ultimately, a human firewall would be the only protection.
MasterYoshi

1 Posts

Sign Up for Free or Log In to start participating in the conversation!