Cofense - Security Awareness Training & Email Threat Detection

Phishers Are Using Google Forms to Bypass Popular Email Gateways

Share This Article

Microsoft 365 ATP

By Kian Mahdavi

Over the past couple of weeks, the Cofense Phishing Defense Center (PDC) has witnessed an increase in phishing campaigns that aim to harvest credentials from innocent email recipients by tricking them into ‘Updating their Office 365’ using a Google Docs Form.

Google Docs is a free web-based application, allowing people to create text documents and input and collect data. It is an enticing way for threat actors to harvest credentials and compromise accounts. Here’s how it works:

Figure 1 – Email Header

The phishing email originates from a compromised financial email account with privileged access to CIM Finance, a legitimate financial services provider. The threat actor used the CIM Finance website to host an array of comprised phishing emails. Since the emails come from a legitimate source, they pass basic email security checks such as DKIM and SPF. As seen from the headers above in figure 1, the email passed both the DKIM authentication check and SPF.

This threat actor set up a staged Microsoft form hosted on Google that provides the authentic SSL certificate to entice end recipients to believe they are being linked to a Microsoft page associated with their company. However, they are instead linked to an external website hosted by Google, such as


Figure 2 – Email Body

The email masquerades as a notification from “IT corporate team,” informing the business user to “update your Office 365” that has supposedly expired. The “administrator” claims immediate action must be taken or the account will be placed on hold. The importance of email access is key to this credential phish, leading users to panic and click on the phishing link, providing their credentials.

Figure 3 – Phishing Page

Upon clicking the link, the end user is presented with a substandard imitation of the Microsoft Office365 login page, as seen in figure 3, that does not follow Microsoft’s visual protocol. Half the words are capitalized, and letters are replaced with asterisks; examples include the word ‘email’ and the word ‘password.’ In addition, when end users type their credentials, they appear in plain text as opposed to asterisks, raising a red flag the login page is not real. Once the user enters credentials, the data is then forwarded to the threat actors via Google Drive.


Network IOC IP
hXXps://docs[.]google[.]com/forms/d/e/1FAIpQLSfzgrwZB23BXv6vumZljSGg0mUuYP4UcafmShTpUzWJoYzBPA/viewform 172[.]217[.]7[.]238



75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMe through the “Account Security Alert” or “Cloud Login” templates and get visibility of attacks with Cofense Reporter.

Quickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in Active Threat Report (ATR) 36388.

Thanks to our unique perspective, no one knows more about providing phishing awareness training and REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.