Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Outlook Forms ( - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Outlook Forms (
It occurred to me that---thinking like an would be a very effective means of attacking a company (in particular). I tested this theory, successfully, this morning.

1. create a Microsoft account
2. sign-up for
3. create a form that emulates an RFP (Request For Proposal) or training-related form or company survey or...
4. spoof a targeted company email address (pose as a CEO or CIO or HR or..)
5. target various employees (obtained through obvious social media sources)
6. paste the LEGIT form link in the email and send out

Endpoint protection would not detect it as hostile; email firewalls would not detect it as hostile (they would stop it if there is sufficient MX/SPF/domain checking in-place, but many companies do not have this in-place); Internet protection (like Umbrella or Zscaler) would not detect it as hostile. Essentially, an attacker would be using a legit Microsoft service/app to obtain whatever information he/she wants. Ultimately, a human firewall would be the only protection.

1 Posts

Sign Up for Free or Log In to start participating in the conversation!