Phishing Detection in Microsoft Forms

%3CLINGO-SUB%20id%3D%22lingo-sub-754552%22%20slang%3D%22en-US%22%3EPhishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-754552%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20question%20about%20the%20recent%20announcement%20for%20phishing%20detection%20in%20Microsoft%20Forms.%20I%20understand%20the%20detection%20for%20new%20Forms.%20Maybe%20someone%20from%20Microsoft%20can%20also%20explain%20some%20details%20for%20existing%20Forms%3F%20Do%20you%20analyse%20published%20Forms%20from%20the%20past%20too%2C%20or%20just%20new%20Forms%3F%20And%20if%20yes%2C%20what%20will%20happen%20with%20these%20type%20of%20Forms%3F%20The%20same%20like%20if%20you%20detect%20a%20phishing%20Form%20in%20the%20design%20phase%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3CBR%20%2F%3ETobias%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-754552%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EForms%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793381%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793381%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F8684%22%20target%3D%22_blank%22%3E%40Tobias%20Asb%C3%B6ck%3C%2FA%3EAccording%20to%20the%20announcement%20in%20the%20Message%20Center%2C%20the%20detection%20is%20performed%20at%20design%20time.%26nbsp%3B%20In%20my%20testing%2C%20it%20appears%20that%20as%20long%20as%20you%20do%20not%20try%20to%20edit%20a%20previously%20created%20Form%2C%20it%20will%20not%20be%20audited%20for%20phishing.%26nbsp%3B%20Below%20is%20the%20specific%20language%20from%20the%20message%20center%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22color%3A%20%23505050%3B%20font-family%3A%20'Segoe%20UI'%2C%20Segoe%2C%20Tahoma%2C%20Helvetica%2C%20Arial%2C%20sans-serif%2C%20SegoeUI-Regular-final%3B%20font-size%3A%2015px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%200.12px%3B%20orphans%3A%202%3B%20text-align%3A%20justify%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20pre-line%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20display%3A%20inline%20!important%3B%20float%3A%20none%3B%22%3EThis%20new%20feature%20will%20be%20applied%20to%20all%20public%20forms%20(when%20forms%20setting%20is%20%E2%80%9CAnyone%20with%20the%20link%20can%20respond%E2%80%9D)%20created%20within%20your%20tenant.%20The%20automatic%20detection%20will%20be%20running%20at%20Forms%20design%20time%20and%20if%20any%20suspicious%20phishing%20contents%20(i.e.%20what%E2%80%99s%20your%20password%3F)%20are%20detected%2C%20the%20form%20will%20be%20automatically%20blocked%20for%20sharing%20and%20response%20collection.%20This%20would%20not%20be%20a%20permanent%20block%20as%20the%20form%20can%20be%20unblocked%20if%20the%20form%20designer%20removes%20the%20suspicious%20phishing%20question.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828118%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828118%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1023%22%20target%3D%22_blank%22%3E%40Jeremy%20Miller%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20answer%2C%20and%20sorry%20for%20the%20late%20reply.%20I%20can%20confirm%20that.%20A%20few%20days%20after%20I%20posted%20the%20question%20I%20opened%20an%20Office%20365%20support%20case%20with%20the%20same%20question.%20The%20support%20confirmed%2C%20as%20long%20as%20an%20author%20does%20not%20modify%20the%20questions%20of%20an%20existing%20form%20nothing%20happens.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2104917%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2104917%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1023%22%20target%3D%22_blank%22%3E%40Jeremy%20Miller%3C%2FA%3E%26nbsp%3BWe%20are%20facing%20an%20issue%20on%20the%20MS%20Forms%20(pertaining%20to%20this%20new%20detection).%20One%20of%20my%20operating%20staff%20accidentally%20click%20on%20the%20changes%20to%20the%20questions%20(instead%20of%20viewing%20the%20answers)%20and%20after%20I%20amend%20and%20correct%20the%20questions%20back%20to%20original%20questions.%20The%20Form%20is%20being%20flagged%20as%20potential%20phishing.%26nbsp%3B%3CBR%20%2F%3EHad%20went%20into%26nbsp%3B%3CSPAN%3EGo%20to%20the%26nbsp%3B%3C%2FSPAN%3EMessage%20center%3CSPAN%3E%26nbsp%3Band%20look%20for%20the%20notification%2C%26nbsp%3B%22%3C%2FSPAN%3E%3CSTRONG%3EPrevent%2FFix%3A%20Microsoft%20Forms%20Detected%20Potential%20Phishing%22%3C%2FSTRONG%3E%3CSPAN%3E.%26nbsp%3BThere%20are%20no%20messages%20under%20this%20detected%20potential%20phishing.%26nbsp%3BI%20am%20the%20administrator%20of%20the%20organisation%20but%20I%20am%20unable%20to%20have%20any%20options%20to%20either%20Delete%2F%20Unblock%2F%20Confirm%20Phishing.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%3CSPAN%3EHence%20would%20like%20to%20seek%20your%20advise%20on%20what%20should%20we%20do%20to%20unblock%20this%20form%20under%20the%20new%20Phishing%20detection.%20Is%20there%20a%20way%20to%20%3CSTRONG%3Eopt-out%3C%2FSTRONG%3E%20to%20the%20new%20%22Detection%20Potential%20Phishing%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Jeremy3611_0-1611817002173.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F250184iE26DE23173D7B411%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Jeremy3611_0-1611817002173.png%22%20alt%3D%22Jeremy3611_0-1611817002173.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2106126%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2106126%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F945626%22%20target%3D%22_blank%22%3E%40Jeremy3611%3C%2FA%3E%26nbsp%3BWe%20are%20experiencing%20this%20same%20issue%20with%20a%20form.%20I%20do%20not%20see%20any%20message%20in%20our%20message%20center%20regarding%20the%20form%20to%20unblock%20it.%20Did%20you%20ever%20get%20yours%20fixed%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2106406%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2106406%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F946128%22%20target%3D%22_blank%22%3E%40kevinduvall%3C%2FA%3EI%20just%20started%20seeing%20this%20happen%20today%20on%20a%20form%20that%20has%20been%20in%20production%20for%20months%20without%20issue.%26nbsp%3B%20Did%20you%20ever%20get%20resolution%20to%20your%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2106435%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2106435%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728280%22%20target%3D%22_blank%22%3E%40GlennGomba%3C%2FA%3E%26nbsp%3BNot%20yet.%20I'm%20going%20to%20let%20Microsoft%20support%20know%20about%20the%20issue.%20It%20has%20to%20be%20on%20their%20end%20at%20this%20point.%20Let%20me%20know%20if%20you%20figure%20anything%20out.%20I'll%20do%20the%20same%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2107125%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2107125%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728280%22%20target%3D%22_blank%22%3E%40GlennGomba%3C%2FA%3E%26nbsp%3Bwe%20had%20a%20form%20do%20this%20as%20well%20today.%26nbsp%3B%20Out%20of%20no%20where.%26nbsp%3B%20It%20did%20not%20get%20a%20message%20in%20the%20Message%20Center.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20does%20anyone%20know%20if%20there%20is%20a%20way%20to%20see%20who%20has%20approved%20or%20denied%20a%20Phishing%20form%3F%26nbsp%3B%20I%20could%20test%20and%20show%20the%20messages%20before%20all%20the%20changes%2C%20now%2C%20I%20haven't%20been%20able%20to%20push%20a%20message%20into%20the%20Message%20Center.%26nbsp%3B%20Bad%20part%20is%20I%20can't%20pinpoint%20what%20specifically%20is%20broken%20to%20help%20a%20ticket%20if%20it%20was%20placed%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2107410%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2107410%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F158196%22%20target%3D%22_blank%22%3E%40Rebecca%20Goodman%3C%2FA%3E%26nbsp%3BWe%20had%20the%20same%20thing%20happen%20with%20a%20couple%20of%20forms%20but%20about%2010%20minutes%20ago%20they%20are%20no%20longer%20flagged.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2108018%22%20slang%3D%22en-US%22%3ERe%3A%20Phishing%20Detection%20in%20Microsoft%20Forms%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2108018%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F946681%22%20target%3D%22_blank%22%3E%40jacobusn%3C%2FA%3E%26nbsp%3BHad%20read%20that%20if%20there%20are%20changes%2Famendments%20to%20the%20existing%20forms%2C%20this%20new%20detection%20policy%20will%20kick%20in%20to%20flag%20this%20MS%20Form%20as%20%22Detected%20as%20Phishing%22%3CBR%20%2F%3EHence%20only%20hope%20that%20Microsoft%20can%20create%20an%20alert%20to%20the%20Administrator%20and%20allow%20Administrator%20of%20the%20Organisation%20to%20determine%20it%20is%20Phishing%20Treat%20or%20not.%20But%20still%20allow%20the%20MS%20Form%20to%20proceed%20ahead%20first%20for%203%20days%20(in%20case%20over%20the%20weekend).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello,

 

I have a question about the recent announcement for phishing detection in Microsoft Forms. I understand the detection for new Forms. Maybe someone from Microsoft can also explain some details for existing Forms? Do you analyse published Forms from the past too, or just new Forms? And if yes, what will happen with these type of Forms? The same like if you detect a phishing Form in the design phase?

Thanks
Tobias

12 Replies

@Tobias Asböck According to the announcement in the Message Center, the detection is performed at design time.  In my testing, it appears that as long as you do not try to edit a previously created Form, it will not be audited for phishing.  Below is the specific language from the message center:

 

This new feature will be applied to all public forms (when forms setting is “Anyone with the link can respond”) created within your tenant. The automatic detection will be running at Forms design time and if any suspicious phishing contents (i.e. what’s your password?) are detected, the form will be automatically blocked for sharing and response collection. This would not be a permanent block as the form can be unblocked if the form designer removes the suspicious phishing question.

@Jeremy Miller Thanks for your answer, and sorry for the late reply. I can confirm that. A few days after I posted the question I opened an Office 365 support case with the same question. The support confirmed, as long as an author does not modify the questions of an existing form nothing happens. 

@Jeremy Miller We are facing an issue on the MS Forms (pertaining to this new detection). One of my operating staff accidentally click on the changes to the questions (instead of viewing the answers) and after I amend and correct the questions back to original questions. The Form is being flagged as potential phishing. 
Had went into Go to the Message center and look for the notification, "Prevent/Fix: Microsoft Forms Detected Potential Phishing". There are no messages under this detected potential phishing. I am the administrator of the organisation but I am unable to have any options to either Delete/ Unblock/ Confirm Phishing. 

Hence would like to seek your advise on what should we do to unblock this form under the new Phishing detection. Is there a way to opt-out to the new "Detection Potential Phishing"?

Jeremy3611_0-1611817002173.png

 

@Jeremy3611 We are experiencing this same issue with a form. I do not see any message in our message center regarding the form to unblock it. Did you ever get yours fixed?

@kevinduvallI just started seeing this happen today on a form that has been in production for months without issue.  Did you ever get resolution to your issue?

 

@GlennGomba Not yet. I'm going to let Microsoft support know about the issue. It has to be on their end at this point. Let me know if you figure anything out. I'll do the same

@GlennGomba we had a form do this as well today.  Out of no where.  It did not get a message in the Message Center.  

Also, does anyone know if there is a way to see who has approved or denied a Phishing form?  I could test and show the messages before all the changes, now, I haven't been able to push a message into the Message Center.  Bad part is I can't pinpoint what specifically is broken to help a ticket if it was placed in.

@Rebecca Goodman We had the same thing happen with a couple of forms but about 10 minutes ago they are no longer flagged.

@jacobusn Had read that if there are changes/amendments to the existing forms, this new detection policy will kick in to flag this MS Form as "Detected as Phishing"
Hence only hope that Microsoft can create an alert to the Administrator and allow Administrator of the Organisation to determine it is Phishing Treat or not. But still allow the MS Form to proceed ahead first for 3 days (in case over the weekend).

@Jeremy3611 Microsoft support gave me a link where you can review the form and unblock.
https://forms.office.com/Pages/AdminPhishingReviewPage.aspx?id=

Paste the ID or your form after the "="
The technician said you'll need Office 365 admin credentials for this to work.

@jacobusn sigh, why do they always make it so difficult?! I am the SharePoint and Power Platform Manager in a company of 65,000 staff but do not have Office 365 Admin credentials and so I have to go to someone else if required to make use of this solution.

 

Rob
Los Gallardos
Microsoft Power Automate Community Super User

The phishing detection needs to recognise natural language a little better. I'm creating a form for managers to notify us in advance when their staff leave. One of the questions asks what devices (phone/laptop) they will be returning and I want to put a note to remind them to bring any passwords/access codes with them - I'm not asking them to enter the passwords on the form - but as soon as I type 'password' the phishing notification comes up.