{
	"id": "efc49997-1155-4a96-8ccd-c5751a7a7842",
	"created_at": "2026-04-06T03:36:43.060558Z",
	"updated_at": "2026-04-10T13:12:11.626679Z",
	"deleted_at": null,
	"sha1_hash": "8c625cdf01da8db38d65f47983dd1b91a1249502",
	"title": "Tricky Forms of Phishing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1213967,
	"plain_text": "Tricky Forms of Phishing\r\nBy Paul Miguel Babon ( words)\r\nPublished: 2020-09-03 · Archived: 2026-04-06 03:19:52 UTC\r\nThe internet has long been an indispensable tool for various industries, all the more so now with the current pandemic,\r\nas many companies rely on internet connectivity for powering work-from-homenews article setups. Unfortunately,\r\ncybercriminals capitalize on the usability of the internet to extort users. One of the most common means to do this is\r\nthrough phishing.\r\nPhishing schemes are served by websites that harvest sensitive information such as credit card numbers, social security\r\nnumbers, and account credentials, among others. Many of these are hosted on websites with spoofed domainsnews-cybercrime-and-digital-threats or pages created through website builders. Recently, however, creating phishing pages\r\nhas become even easier through the use of forms — tools that can be configured within only a few minutes.\r\nHow are these schemes formed?\r\nHere are common examples of form builder services that are used to create forms for phishing. Notably, on their own,\r\nthey are legitimate, non-malicious sites. However, like other legitimate platforms, they can also be exploited:\r\n123formbuilder.com\r\ndocs.google.com\r\nform.simplesurvey.com\r\nformpl.us\r\nforms.gle\r\nforms.office.com\r\nformtools.com\r\nsmartsurvey.co.uk\r\nsupersimplesurvey.com\r\nsurvey.survicate.com\r\nsurveygizmo.com\r\nsurvs.com\r\nzfrmz.com\r\nWithin a few minutes and even without programming knowledge, cybercriminals can create forms in these sites. These\r\npages are then propagated through emails, like in most phishing campaigns. Some examples of these are emails that\r\npose as advisories from Microsoft Outlook, which prompt the user to open a link to update a supposedly expiring\r\npassword or full mail storage. A common form builder used for these emails is Microsoft Forms, perhaps to enhance\r\nbelievability since this site is also from the same vendor as Outlook. Super Simple Survey is commonly used as well.\r\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 1 of 12\n\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 2 of 12\n\nFigures 1-5. Phishing emails posing as advisories from Microsoft Outlook\r\nSome cybercriminals also pose as business representatives in their emails and mask phishing links as fake voicemails\r\nor documents. We observed Survey Gizmo being commonly used for these.\r\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 3 of 12\n\nFigures 6-8. Phishing emails with a fake voicemail and document attachments\r\nSelecting the buttons, a fake voicemail, or a document in these emails redirects the users to phishing sites that are\r\nhoused on these forms.\r\nFigures 9-10. Examples of phishing links housed in form builders\r\nLike other phishing sites, these forms attempt to harvest information such as email addresses and passwords. They can\r\npose as email login or verification pages.\r\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 4 of 12\n\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 5 of 12\n\nFigures 11-13. Examples of forms that were made for phishing\r\nIt is relatively easy to spot the differences between a real login page and one made with a form as the latter looks\r\ntemplated and blocky. However, users might still erroneously trust a site if they see that a legitimate website (such as\r\nthe form builder site) is associated with it.\r\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 6 of 12\n\nFigures 14-15. Top: Legitimate Adobe login page. Bottom: Fake Adobe login page made of a form\r\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 7 of 12\n\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 8 of 12\n\nFigures 16-17. Top: Legitimate AT\u0026T login page. Bottom: Fake AT\u0026T login page made of a form\r\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 9 of 12\n\nFigures 18-19. Top: Legitimate Microsoft Outlook login page. Bottom: Fake Microsoft Outlook login\r\npage made of a form\r\nWhat makes form builders a viable option for cybercriminals?Other than form builders, phishing authors\r\ncommonly use fake domains and website builders to create phishing pages. This table details a side-by-side\r\ncomparison of all three, the reasons that form builders are an attractive option, and ways that users can spot these sites:\r\nFake Domains Website Builders Form Builders\r\nDefinition\r\nThe creation of\r\na new domain\r\nwhere the name\r\nand the\r\nappearance of a\r\npopular website\r\nare copied. This\r\nis used to fool\r\npeople into\r\nthinking that\r\nthey are on the\r\nright website.\r\nThe use of site creation services\r\nlike wix.com or weebly.com.\r\nThese services offer\r\nconvenience in creating\r\nprofessional-looking phishing\r\npages, some of which can look\r\nlike popular websites.\r\nThe abuse of forms services like Microsoft\r\nForms to create simple and fake phishing pages\r\nand sometimes even fake login pages\r\nExamples\r\namaazoon[.]xyz\r\ngo0gle[.]fun\r\noutlookmail[.]weebly[.]com\r\ngoogledrivefiles[.]wixsite[.]com\r\nforms[.]office[.]com/Pages/ResponsePage.aspx?\r\nid=rand0mnU\r\ndocs[.]google[.]com/forms/d/e/rand0mnU\r\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 10 of 12\n\nCreation\r\nDifficulty\r\nRequires\r\nknowledge of\r\nprogramming\r\nand web\r\nhosting to\r\ncreate the\r\nwebsite\r\nRequires some knowledge of\r\nHTML programming as well as\r\ndesign skills to make the\r\nphishing website convincing\r\nRequires only basic knowledge of how forms\r\nare made\r\nResources\r\nRequires lots of\r\ntime to set up.\r\nMoney is also\r\ninvolved in\r\nbuying\r\ndomains,\r\nmaking this\r\ntactic resource-intensive.\r\nA decent amount of time is\r\nneeded to create a professional-looking website. Some services\r\nrequire money to create\r\nwebsites, some do not. Still,\r\nsome phishing authors would\r\nrather use this tactic than create\r\nfake domains from scratch.\r\nSmall-to-little amount of time is needed to\r\ncreate a phishing page. A person can easily\r\ncreate one in minutes. Usually, depending on\r\nthe service, money is not needed to create a\r\nform. This is advantageous for phishing authors\r\nas they can create loads of phishing forms.\r\nHow\r\nUsers\r\nCan Spot\r\nThese\r\nBy thorough\r\ninspection of\r\nthe URL to\r\ndetect whether\r\nthe website is\r\nlegitimate\r\nBy spotting the domain\r\n“weebly[.]com” or “wix[.]com”\r\ninstead of the original domain\r\nin the address bar\r\nBy keeping in mind that companies usually do\r\nnot use forms for password updates or email\r\nverification  \r\nConclusion\r\nIn our 2020 midyear security roundup, we reported our detection of nearly 7 million unique phishing URLs for the first\r\nhalf of 2020, a 28% increase in over 5 million detected URLs in the second half of 2019. This shows that phishing\r\nremains a favorite weapon among cybercriminals. Similar to the case of other threats, operators behind these schemes\r\nfind ways to spend both less time and money to enable their scam while also ensuring that it remains effective, if not\r\nmore formidable. From creating websites from scratch, operators eventually progressed to creating pages from website\r\nbuilders. Today, they also use forms.\r\nForms can be created in a few minutes, usually do not cost a cent, and can pass off as professional — at least at the\r\nbasic level. Some users tend to trust them as well since the form builder websites themselves are not malicious, and\r\nsometimes the domains are related to the information requested by the phishing website (for example, a Microsoft\r\nForms page used to harvest Microsoft account credentials).  Therefore, these forms can do the job with little work\r\nrequired.\r\nAs the tactics used by cybercriminals evolve, users can defend themselves by thoroughly inspecting pages (whether\r\nwebsites or forms) that request for credentials. Security solutions can also help detect and block these threats.\r\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 11 of 12\n\nForming strong defenses against phishing\r\nUsers can protect themselves from forms used for phishing by following these specific steps:\r\nNever give out passwords and other sensitive information. Forms and surveys are used for responses, opinions,\r\nfeedback, and application purposes — they are not a substitute for login pages.\r\nReport phishing forms immediately. If a form requires the user to fill in credentials and other sensitive\r\ninformation, report it to the form builder service itself. The links to report the form are usually located at the\r\nbottom portion of the page:\r\nFigures 20-21. Sample portions of forms for reporting abuse.\r\nAlways double-check if the email sender is legitimate. Do not open any links if the sender is unknown or\r\nsuspicious.\r\nIf there is a suspicious email, report it to your company’s InfoSec or IT Security team.\r\nEnsure that the security settings of all applications are up to date.\r\nThe following security solutions are recommended as a defense against phishing:\r\nTrend Micro™ Cloud App Securityproducts – Enhances the security of Microsoft Office 365 and other cloud\r\nservices. It uses computer vision and real-time scanning to find credential-stealing phishing sites. It also\r\nprotects against business email compromise (BEC) and other email threats.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts – Defends users against phishing and ransomware\r\nattacks through real-time scanning and advanced analysis techniques for known and unknown attacks.\r\nThe internet is a vast, open world full of doors to opportunities for achieving a convenient lifestyle. With that being\r\nsaid, it is crucial to be conscious of the fact that these doors can also lead to abuse and baits. Therefore, we must\r\nalways take steps to protect our data and not take its security for granted.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nhttps://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html"
	],
	"report_names": [
		"tricky-forms-of-phishing.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775446603,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c625cdf01da8db38d65f47983dd1b91a1249502.pdf",
		"text": "https://archive.orkl.eu/8c625cdf01da8db38d65f47983dd1b91a1249502.txt",
		"img": "https://archive.orkl.eu/8c625cdf01da8db38d65f47983dd1b91a1249502.jpg"
	}
}