skip to Main Content

Cybercrime uses Office 365 and Google Docs to harvest credentials

Cofense: There is an increase in phishing campaigns that aim to harvest credentials from innocent email recipients by tricking them into ‘Updating their Office 365’ using a Google Docs Form

Cybercrime increased the phishing campaigns that aim to harvest credentials from innocent email recipients by tricking them into ‘Updating their Office 365’ using a Google Docs Form. It has been discovered by Cofense cyber security experts. Potential victims receive an email claiming to be from their organisation’s IT team that tells them their account will expire unless they click the link and update their details. Researchers note that the criminals behind the scam went to great lengths to appear legitimate.The phishing email originates from a compromised financial email account with privileged access to CIM Finance, a legitimate financial services provider. However, the forms that potential victims are directed to are often littered with grammatical and spelling mistakes. So it’s relatively easy discover the cyber fraud.

The cyber security experts: The cybercrime attacks exploit a legitimate financial services provider, and “the importance” of email access is key to this credential phish, leading users to panic and click on the phishing link, providing their credentials

According to the cyber security experts, since the emails come from a legitimate source, they pass basic email security checks such as DKIM and SPF. The cybercrime actor set up a staged Microsoft form hosted on Google that provides the authentic SSL certificate to entice end recipients to believe they are being linked to a Microsoft page associated with their company. However, they are instead linked to an external website hosted by Google. The email masquerades as a notification from “IT corporate team,” informing the business user to “update your Office 365” that has supposedly expired. The “administrator” claims immediate action must be taken or the account will be placed on hold. The importance of email access is key to this credential phish, leading users to panic and click on the phishing link, providing their credentials.

Back To Top