This week, we uncovered an attack that uses both Microsoft Forms and Typeform.  We saw this across multiple organizations.

It works like this:

The subject of the email reads: IT-security/protection

The body shows that in order to prevent your password from expiring, you need to change it.

Clicking on the "Click to keep password" button, however, leads to one of two links: a Typeform page or a Microsoft Forms page. Both are designed to steal your credentials.

Both links have been deactivated.

Here's what it looks like:

Subject line designed to grab user’s attention

The phishing email’s footer mentions “JBM Group” which is a fake company that has a very convincing looking website that is designed to deceive the user if they attempt to Google the sender.



Subscribe to Our Attack Briefs for More Research