heroui logo

Service abuse: Microsoft Forms Pro with suspicious links or QR codes

Sublime Rules

View Source
Summary
This rule detects credential phishing attempts embedded in inbound messages claimed to originate from surveys@email.formspro.microsoft.com (Microsoft Forms Pro). It analyzes URLs within the message body and attachments for multiple indicators of compromise: (1) links whose destination domain has a suspicious top‑level domain (TLD) and where the root domain is not microsoft.us; (2) links that embed recipient email addresses within the URL; (3) OAuth authorization links that redirect to Microsoft Online OAuth endpoints; (4) links or URL paths that reveal personal OneDrive locations (noted by the path segment /:o:/p/); (5) URL fragments containing placeholders like [[Email]]; and (6) QR codes scanned from attached screenshots or images that point to suspicious domains or domains newly registered (under ~100 days). If any condition is met, the rule flags a Credential Phishing incident. It leverages URL analysis, QR code analysis, sender/identity analysis, Whois lookups, and content analysis to corroborate threats. The goal is to surface socially engineered attempts to harvest credentials or redirect users to deceptive pages impersonating Microsoft Forms Pro.
Categories
  • Endpoint
  • Web
  • Application
  • Identity Management
Data Sources
  • File
  • Web Credential
  • Network Traffic
  • Process
  • Application Log
Created: 2026-07-15