Medium Severity

Service abuse: Microsoft Forms Pro with suspicious links or QR codes

Description

Detects messages sent from Microsoft Forms Pro (surveys@email.formspro.microsoft.com) that contain suspicious indicators, including links to suspicious TLDs, recipient email addresses embedded in URLs, OAuth authorization links, personal OneDrive paths, template placeholders, or QR codes pointing to recently registered or suspicious domains.

References

No references.

Sublime Security
Created Jul 14th, 2026 • Last updated Jul 14th, 2026
Source
type.inbound
and sender.email.email == 'surveys@email.formspro.microsoft.com'
and (
  any(body.current_thread.links,
      (
        .href_url.domain.tld in $suspicious_tlds
        and not .href_url.domain.root_domain in ('microsoft.us')
      )
      or any(recipients.to,
             strings.icontains(..href_url.url, .email.email)
             and .email.domain.valid
      )
      or .href_url.fragment in ('[[Email]]')
      or strings.starts_with(.href_url.url,
                             'https://login.microsoftonline.com/common/oauth2/v2.0/authorize'
      )
      // personal onedrive
      or strings.starts_with(.href_url.path, '/:o:/p/')
  )
  or any(file.explode(file.message_screenshot()),
         .scan.qr.url.domain.tld in $suspicious_tlds
         or network.whois(.scan.qr.url.domain).days_old < 100
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Deploy and integrate a free Sublime instance in minutes.
Get Started