On April 10, 2026, employees at a global industrial manufacturer received an email inviting them to complete an "Adobe Acrobat Pro Usage Assessment." The message arrived from a legitimate corporate Microsoft 365 account, passed SPF, DKIM, and DMARC authentication, and earned a composite authentication score of 100. The "Start now" button pointed to forms.cloud.microsoft, a real Microsoft-owned domain. Every other link in the email, from the privacy policy to the terms of service, also pointed to verified Microsoft endpoints.
The email was phishing. The form was a credential harvest. And automated scanners rated every link in it as clean.
This attack represents a growing class of threats where the entire kill chain operates inside trusted infrastructure. No spoofed domains. No look-alike URLs. No malicious payloads to detonate. The weaponized element was a Microsoft Form, hosted on Microsoft servers, branded with Microsoft assets, and delivered through Microsoft mail infrastructure. The only thing that wasn't legitimate was the intent.
The phishing email originated from a compromised account at a legitimate technology services firm. The sender's domain had been registered since 2010, maintained valid MX records pointing to a hosted email protection service, and published a strict DMARC policy (p=quarantine, adkim=s, aspf=s). DKIM validation passed using the domain's selector2 key, and the message transited through Microsoft's outbound protection infrastructure (52.101.48.86) before reaching a Cisco Email Security Appliance gateway at the recipient's organization.
The relay path created a minor SPF softfail at the Cisco gateway hop (IP 23.90.110.124), but this is expected behavior for messages transiting third-party email protection services. The ARC chain validated cleanly through two hops, both sealed by microsoft.com, and the final compauth result was pass with reason=100, the highest confidence score Microsoft assigns.
The subject line followed the standard Microsoft Forms invitation format: "[Name] invites you to complete: [Form Title]." The body matched the exact Microsoft Forms email template, complete with the sender's profile photo placeholder, Microsoft 365 branding, a teal accent color header bar, and footer links to Microsoft's privacy policy and terms of service. Nothing in the email's visual presentation or technical envelope distinguished it from a genuine Microsoft Forms invitation.
MITRE ATT&CK mapping: T1566.002 (Spearphishing Link), T1078 (Valid Accounts), T1036.005 (Masquerading: Match Legitimate Name or Location)
The "Start now" CTA directed recipients to forms.cloud.microsoft/Pages/ResponsePage.aspx, a legitimate Microsoft Forms response page. This is where the attack breaks from typical phishing. The attacker did not clone a login page or stand up a look-alike domain. They created an actual Microsoft Form, hosted on Microsoft infrastructure, that asked recipients to provide sensitive information under the guise of a software usage survey.
The form's first required field: "Please provide your first and last name plus location." The second field asked about Adobe Acrobat usage frequency with radio button options (Daily, Several times a week, Occasionally, Rarely). The opening text stated the form would "not automatically collect your details like name and email address unless you provide it yourself," a social engineering technique that frames the PII request as optional and privacy-respecting while making it a required field.
The forms.cloud.microsoft domain is a newer Microsoft Forms hosting endpoint, distinct from the more established forms.office.com and forms.microsoft.com. While fully legitimate, its relative obscurity means security teams may not have it in their allow-lists or recognition patterns. Automated link scanning services evaluated the URL and returned a clean verdict because the domain, certificate, and rendered page all belong to Microsoft.
According to the Microsoft Digital Defense Report 2024, Microsoft processes over 78 trillion security signals daily, yet attacks that abuse Microsoft's own platform services represent one of the hardest detection challenges because they generate no malicious signal at the infrastructure layer. The Verizon 2024 Data Breach Investigations Report found that credential theft remains the top action variety in breaches, present in 24% of all incidents.
This campaign exploits a fundamental trust assumption: if the domain is Microsoft, the content must be safe. That assumption fails when attackers use legitimate cloud services as hosting infrastructure for their payloads.
Three factors made this attack exceptionally difficult to catch:
The FBI IC3 2024 Annual Report documented $2.9 billion in BEC losses, with credential harvesting serving as the primary precursor to account takeover and business email compromise. Attacks like this one feed the pipeline: the harvested name-and-location data becomes fodder for targeted BEC campaigns and social engineering.
| Indicator | Type | Value |
|---|---|---|
| Sender email | lorar[@]crosslaketech[.]com | |
| Sender domain | Domain | crosslaketech[.]com |
| Phishing form URL | URL | hxxps://forms[.]cloud[.]microsoft/Pages/ResponsePage[.]aspx?id=O_zvoORORkqdzIn9NbQ59srYr_99InVErArtuDykFLpUNDVGTzdJRFhPMlA5TU1DMlRaSEpHUTZSVi4u |
| Form design URL | URL | hxxps://forms[.]cloud[.]microsoft/Pages/DesignPageV2[.]aspx?origin=rbf&rpring=Business&rpsession=f55944be-6ce0-4531-9a98-3a874c812944 |
| Outbound relay IP | IP | 52[.]101[.]48[.]86 |
| ESA gateway IP | IP | 23[.]90[.]110[.]124 |
| DKIM selector | Selector | selector2._domainkey.crosslaketech[.]com |
| Message-ID | Header | DM6PR22MB22613D013E98833221F5ADC6B0592[@]DM6PR22MB2261[.]namprd22[.]prod[.]outlook[.]com |
| Subject | Header | Lora invites you to complete: Adobe Acrobat Pro Usage Assessment |
Email authentication alone cannot protect against attacks that originate from compromised legitimate accounts. When the sender domain is real, the DKIM signature is valid, and the DMARC policy passes, the entire authentication stack becomes invisible to the threat.
Organizations should consider these steps:
Block or monitor forms.cloud.microsoft at the proxy layer until your security stack can inspect form content, not just URL reputation. If your organization does not use Microsoft Forms, this domain should not appear in your inbound email flow.
Deploy behavioral analysis that evaluates email context, not just technical signals. A software usage survey arriving from an external technology vendor to a manufacturing company's VIP recipients, with a one-week deadline, is anomalous regardless of its authentication results. Adaptive AI platforms that model sender-recipient relationships and communication patterns catch what authentication cannot.
Audit your Microsoft Forms tenant controls. Restrict external form submissions, enable form phishing detection in Microsoft Defender, and monitor for forms created by accounts that do not typically use Microsoft Forms.
Train users to verify form requests through a second channel. Even when an email looks identical to a legitimate Microsoft Forms invitation, the safest response is to confirm the request directly with the sender before submitting any information.
Every email in this attack was technically legitimate. Every link was technically clean. The only signal was behavioral, and that required technology built to see it.
See Your Risk: Calculate how many threats your SEG is missing