Beware of Google Docs forms asking for Office 365 updates

News by Chandu Gopalakrishnan

Phishing campaign in the guise of Google Docs forms asks for updating of Office 365 accounts to create fake Microsoft login pages to harvest corporate user credentials.

Cyber-criminals have for long been using Google Docs for phishing campaigns. The latest one is in the guise of a Google Docs form asking for updating the Office 365 account of the user, found Cofense researchers.

“Phishing threat actors have long abused cloud services to deliver malicious payloads. This campaign utilises the Google Forms component of the Google platform,” Cofense’s Europe director Dave Mount told SC Media UK.

“In this campaign, and others like it, Google Forms is used to create fake Microsoft login pages to harvest corporate user credentials.”

The perpetrators compromised an email account with privileged access to CIM Finance, a legitimate financial services provider, and then used the CIM Finance website to send a stream of phishing emails. As emails originate from a legitimate source, they clear the basic email security checks. 

“This threat actor set up a staged Microsoft form hosted on Google that provides the authentic SSL certificate to entice end recipients to believe they are being linked to a Microsoft page associated with their company. However, they are instead linked to an external website hosted by Google,” said the Cofense blog post on the campaign.

Appearing like a notification from “IT corporate team”, the email informs the target that their Office 365 has expired and it needs to be updated urgently. As expected, the targets panic and click on the phishing link, providing their details into a substandard imitation of the Microsoft Office365 login page. The discerning eye can spot the danger here, the blog post noted. 

“Half the words are capitalised, and letters are replaced with asterisks; examples include the word ‘email’ and the word ‘password.’ In addition, when end users type their credentials, they appear in plain text as opposed to asterisks, raising a red flag the login page is not real. Once the user enters credentials, the data is then forwarded to the threat actors via Google Drive.”

The Cofense Phishing Defense Center was alerted by the company’s customers about the campaign. However, the reach of this particular campaign  is not yet assessed. 

“Impact of specific campaigns is difficult to track, and typically is not within the purview of Cofense. However, any credentials harvested by campaigns like this can lead to a significant compromise or data breach,” Mount told SC Media UK.

Cofense has seen hundreds of examples of phishing emails using Google Forms as the payload for harvesting user credentials, said Mount. Other common cloud services that are regularly abused by phishing threat actors include OneDrive,, Google Docs, WeTransfer and Dropbox.

However, alert and aware users can spot such campaigns most of the time, Mount said. 

“User awareness of credential phishing plays a role here – for example understanding what legitimate sites request corporate credentials, and being suspicious of any links that request user names or passwords. End-users should be enabled and empowered to report suspicious emails to their security teams, to enable them to take appropriate action to understand a threat, and protect the organisation.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews