Office 365 Will Let Admins Review Microsoft Forms Phishing Attempts

Microsoft is working on adding a new Microsoft Forms phishing attempt review feature that will allow Office 365 admins to confirm and block forms that try to maliciously harvest sensitive data.

Microsoft Forms is a web and mobile app that enables users to create surveys, quizzes, and polls designed for collecting feedback and data online.

Previously it was only available to business users with Microsoft 365 Personal and Microsoft 365 Family, but it has recently been made available for personal use to anyone with a Microsoft account.

Block potential form-based phishing attempts

“When managing Microsoft Forms, IT admins now have two options in response to possible phishing: you can either click ‘unblock’ or ‘confirm phishing’, a new option that is now available,” Redmond explains in a new Microsoft 365 Roadmap entry.

Phishing attempts are detected by Microsoft Forms with the help of proactive phishing detection (available for all public forms since July 2019 and for enterprise forms from September 2019), a protection feature that will proactively identify malicious password collection in forms and surveys.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

Such attempts are automatically and temporarily blocked from continuing to collect answers to preemptively block threat actors from abusing forms as phishing landing pages.

Global and/or security administrators receive alerts of all forms detected and blocked for potential phishing in their tenant.

Reviewing potentially malicious forms

Starting with the feature’s roll-out to all standard multi-tenants during November 2020, IT admins can examine all forms automatically tagged as phishing attempts to make sure that those that try to harvest the users’ sensitive info for use in future malicious campaigns.

To review and unlock phishing forms, admins will have to go through the following steps:

1. Sign in to the Microsoft 365 admin center at admin.microsoft.com.
2. Go to the Message center and look for the notification, Prevent/Fix: Microsoft Forms Detected Potential Phishing (this notification contains a daily summary of any and all blocked forms created in your tenant)
3. Click on the Forms admin review URL link in the notification to review blocked forms.
4. For each form you review, go to the upper right corner of the page and select whether to unblock it or confirm its phishing attempt (unblock those wrongfully tagged and confirm those that you want blocked for malicious intent)

“If you believe a form has malicious intent, no further action from you is required. The form will stay blocked until its owner removes the content flagged for the malicious collection of sensitive data,” Microsoft explains.

Also Read: How a Smart Contract Audit Works and Why it is Important

Unblocking Microsoft Forms users

Microsoft Forms will also automatically block users if they repeatedly try to collect information by distributing forms.

Such attempts are logged and admins will be informed via the Microsoft 365 message center. Once the notifications are added to the message center, admins can unblock the users if they consider that no malicious intent was behind their data collection attempts.

To remove restrictions for any blocked Microsoft Forms users in their tenant, admins will have to follow this procedure:

1. Sign in to the Microsoft 365 admin center at admin.microsoft.com.
2. Go to the Message center and look for the notification, Prevent/Fix: Microsoft Forms Detected Potential Phishing.
3. Click on the link provided in the notification to review blocked users.
4. For each user you believe has no malicious intent, you can choose to click the Unblock link in the Actions column that is associated with that user.