I guess some threat actor has figured out how to abuse forms on various platforms, like Hubspot and Microsoft(!?!) to send invoice phishing.
On Hubspot the real destination URL seems to be hidden until you click submit. At least on Microsoft (customervoice.microsoft.com) it's visible in the form code (although the actor has whited-out the warning not to enter credentials, lmao).
Just absolutely blows my mind that Microsoft allows any way at all to put user-supplied content on a microsoft.com sub-domain. What absolute brain-genius built that site?
chort ↙️↙️↙️ /
npub1h0…tceen
2025-03-27 22:36:11
Author Public Key
npub1h0er8h4ag5eghz76908rg89lykx37gehume3qpkscxe09yygh56srtceenSeen on
wss://relay.nostr.bandPublished at
2025-03-27 22:36:11Event JSON
{
"id": "8fdd2a739e36e97026a67e5ac4090fc5d6040712bc8a52f010e149fc5c4e4ad8",
"pubkey": "bbf233debd45328b8bda2bce341cbf258d1f2337e6f31006d0c1b2f29088bd35",
"created_at": 1743114971,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/users/chort/statuses/114236782783915594",
"activitypub"
]
],
"content": "I guess some threat actor has figured out how to abuse forms on various platforms, like Hubspot and Microsoft(!?!) to send invoice phishing.\n\nOn Hubspot the real destination URL seems to be hidden until you click submit. At least on Microsoft (customervoice.microsoft.com) it's visible in the form code (although the actor has whited-out the warning not to enter credentials, lmao).\n\nJust absolutely blows my mind that Microsoft allows any way at all to put user-supplied content on a microsoft.com sub-domain. What absolute brain-genius built that site?",
"sig": "a819e1d79b532a52ee653522847c04925e3180a98aaf852bfba41080d2c5ff3bc5fde7986d944afaed876e16e34689fefbf530e5e760cab153ff2625c5614065"
}