Microsoft will alert Office 365 admins of Forms phishing attempts

Microsoft is adding new security warnings to the Security and Compliance Center (SCC) default alert policies to inform IT admins of detected phishing attempts abusing Microsoft Forms in their tenants.

Microsoft Forms is an app that enables web and mobile users to create surveys, polls, and quizzes for collecting feedback and data online.

It has recently been made available for personal use to anyone with a Microsoft account after previously being available only to business users with Microsoft 365 Personal and Microsoft 365 Family subscriptions.

Forms phishing activity alerts

Microsoft Forms detects phishing attempts with the help of proactive phishing detection (available for all public forms since July 2019 and for enterprise forms from September 2019).

This phishing protection feature will proactively identify malicious password collection in forms and surveys.

To do that, it uses automated machine reviews to "proactively detect malicious password collection in forms and surveys" to block phishers from abusing Microsoft Forms to create phishing landing pages.

Admins receive alerts of any users or forms blocked in their tenants for potential phishing. Microsoft is now working on also adding these phishing activity alerts to SCC's Alert center.

"We are now adding Microsoft Forms’ phishing activities alert (for blocked forms and users due to confirmed and suspicious phishing) to the default alert policies in Microsoft’s Security and Compliance Center (SCC)," the company explains in a Microsoft 365 Roadmap entry.

"If there is any user restricted from sharing forms and collecting responses from Microsoft Forms because of confirmed phishing activities, or any form identified/detected as phishing form, IT admins will receive an alert in the SCC Alert center."

Rolling out later this month

Microsoft is planning on making this new feature generally available worldwide in all environments by the end of this month.

Microsoft also added an option in November allowing Office 365 admins to review Microsoft Forms phishing attempts to confirm or unblock forms tagged as suspicious for potentially attempting to maliciously harvest sensitive data.

Once the notifications are added to the message center, admins can unblock the users if they consider that no malicious intent was behind their data collection attempts.

"If you believe a form has malicious intent, no further action from you is required. The form will stay blocked until its owner removes the content flagged for the malicious collection of sensitive data," Microsoft explains.

Later this month, Microsoft will also begin notifying Microsoft Defender for Office 365 users of suspected nation-state hacking activity detected within their tenants.

Related Articles:

Microsoft pulls fix for Outlook bug behind ICS security alerts

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Millions of Docker repos found pushing malware, phishing sites

New Latrodectus malware attacks use Microsoft, Cloudflare themes

Google ad impersonates Whales Market to push wallet drainer malware