Phishing Attack Takes a Two-Step Approach to Leverage Legitimate Sites and Evade Detection

Analysis of a new phishing attack demonstrates how attackers may take a longer path to reach their malicious goals while staying “under the radar” of security products.

It would be pretty simple to create a phishing attack that sends its’ victims a brand-impersonated email with a link that takes you to an impersonated webpage that asks for credentials, personal details or credit card information.

But many of today’s security products will detect the impersonation immediately. So, if you’re a cybercriminal developing a cunning phishing scam, you need to find ways to avoid being detected – even if it means adding a few unnecessary steps.

And that’s exactly what we find in security vendor Perception Point’s latest analysis of a phishing attack that uses Microsoft Office Forms as an intermediate step in their phishing scam.  According to the analysis, the phishing email impersonates a well-known brand (such as Microsoft 365 below) with the first step being the clicking of a link within the email that points to an Office form.

The form is hosted on a legitimate web service, which helps the attack from being detected.

The target of that URL is an impersonated login page, designed to steal credentials:

At its core, this is just another credential stealing scam.  But it’s the specific execution that makes it interesting. By leveraging legitimate tools and websites as an added step in the attack, cybercriminals improve their odds that the scam will go undetected – that is unless the users have undergone security awareness training and are able to spot the scam.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.