It occurred to me that---thinking like an attacker---forms.outlook.com would be a very effective means of attacking a company (in particular). I tested this theory, successfully, this morning.
1. create a Microsoft account
2. sign-up for forms.outlook.com
3. create a form that emulates an RFP (Request For Proposal) or training-related form or company survey or...
4. spoof a targeted company email address (pose as a CEO or CIO or HR or..)
5. target various employees (obtained through obvious social media sources)
6. paste the LEGIT form link in the email and send out
Endpoint protection would not detect it as hostile; email firewalls would not detect it as hostile (they would stop it if there is sufficient MX/SPF/domain checking in-place, but many companies do not have this in-place); Internet protection (like Umbrella or Zscaler) would not detect it as hostile. Essentially, an attacker would be using a legit Microsoft service/app to obtain whatever information he/she wants. Ultimately, a human firewall would be the only protection.
May 31st 2019
1 year ago