Warning: Email inviting users to “review document” leads to fake Microsoft-branded phishing page hosted on Typeform

Posted by Akankasha Dewan on 30 September 2020 17:22:19 AEST

With cybercrime growing in sophistication everyday, cybercriminals continue employing sneaky techniques to trick users.

MailGuard has intercepted a phishing email sent from a compromised account. Titled “You have 1 new document to review”, the email invites users to review a document by clicking on a link. Details of this document, including its “ID” and the “Day/Date” it was delivered are provided – likely in a bid to boost its credibility.

Here’s what the email looks like:



Clicking on the link to open document leads users to a fake Microsoft-branded login page containing branding elements of multiple Microsoft apps & products. It is titled “Microsoft Office 365 Message Center”. This page is actually a form hosted on Typeform, a popular website that specialises in online form building and online surveys. The user is invited to sign in in order to view the document, as per below:


This is a phishing page designed to harvest users’ login details. Once these credentials are entered and submitted, the attacker harvests them for later use, and the user is redirected to a PDF document.

We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.

By claiming that a new document has been shared, this email scam aims to intrigue recipients, motivating them to click on the link to view it as soon as possible.

The inclusion of a phishing page hosted on Typeform is interesting. While a legitimate website, it could assist in alerting users to the email’s illegitimacy when, upon inserting their password, users see their password being displayed in its entirety, instead of being hidden (using stars like ***). This is a red flag considering most authentic login pages (especially those from established companies like Microsoft) would not allow such an open display of passwords for security reasons.

Scams that are initiated from compromised accounts are particularly dangerous, for a number of reasons:

  • The emails are sent from a legitimate account, so they are not likely to be blocked by email security services,
  • The recipients are more receptive to the emails because they are from a legitimate service, and especially where the sender is known to them, and
  • Because they may deliver a malicious payload, or simply a PDF file like these examples, directing users to external phishing pages to harvest credentials.

In such cases, users are reminded of the importance of not accepting/clicking on documents from unknown senders, despite the organisation they purport to be from. All attachments/links should only be accessed when users are certain about the credibility of their owners.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

Phishing attacks can be enormously costly and destructive, and new scams are appearing every week. Don’t wait until it happens to your business; protect your business and your staff from financial and reputational damage, now.

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates



Topics: Phishing microsoft email scams fraud fastbreak typeform

Back to Blog


    Something Powerful

    Tell The Reader More

    The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


    • Bullets are great
    • For spelling out benefits and
    • Turning visitors into leads.

    Recent Posts

    Posts by Topic

    see all