Security researchers detected several phishing campaigns that leveraged a Google Docs Form to target users’ Microsoft credentials.

Cofense observed that the phishing emails originated from a compromised email account with privileged access to financial services provider CIM Finance. By using CIM Finance’s website to host their phishing emails, the malicious actors ensured that their messages could bypass popular email security checks including DKIM and SPF.

The emails themselves masqueraded as notifications from the IT team informing recipients that they needed to “update their Office 365” if they wanted to prevent the suspension of their accounts.