Phishers are Targeting Employees With Google Forms to Harvest Microsoft Credentials

Security researchers at Cofense found several phishing campaigns that implemented via Google Docs Form to target employees’ Microsoft credentials.

Cofense also found a source of these phishing emails which were originated from and hosted at CIM Finance’s website.

Hackers were able to send phishing emails from a privileged email id of financial services provider CIM Finance

Hackers sent these phishing emails to the IT team informing them that they needed to “update their Office 365” if they wanted to prevent the suspension of their accounts.

With this setup, phishers created a fake phishing Microsoft Office 365 login page (was actually in Google Forms).

Upon submitting user credentials, the campaign sent this information off to the attackers via Google.

Tripwire (Source)