When you open a Microsoft Form asking you for some sensitive data, do you know where will your data land? Could it be phishing? Read on to find out…
Recently, I have received an email at work asking me to fill out a form with some of sensitive personal details (voluntary disclosure). I don’t mind giving these details, but I need to be sure that this form really comes from my employer and is not some kind of phishing. Of course, you have phishing protection from Defender for Office and MS Forms itself, but, you know, “Trust, but verify”. In the end, it’s my data… So what can I do?
What did not work:
- Looking at the form. There is absolutely nothing in the form itself that says where it comes from (please prove me wrong in the comments! Please!). If can be fully customized with logos, etc.
- URL: the URL is simply forms.office.com/Pages/ResponsePage.aspx?id=<FORM_ID> . It does not contain a domain name or tenant id.
- Inspecting the page source code. I tried, maybe you’ll find something I didn’t 🙂
What did work?
Step 1: Find form tenant and owner IDs.
I opened up Edge Dev Tools in the Networking tab and started looking at the network requests.
The first one in line was the page I opened https://forms.office.com/Pages/ResponsePage.aspx?id=<ID> and it simply returned some HTML. Not very helpful.
However, a bit further down I had found a similar looking XHR request
https://forms.office.com/handlers/ResponsePageStartup.ashx?id=<ID>This one returns a bunch of JSON, which we can find in the Response tab (ignore the output in the pic, I didn’t take the screenshot until after I have completed the form, and it can only be completed once).
Scrolling through that JSON, closer to the end I found two very interesting values:
"owner": <GUID>
"owner-tenant": <GUID>These are clearly User and MS Entra ID (ex. AzureAD) Tenant GUIDs of the form creator. I can work with that!
Step 2: Look up the form tenant by ID
For this we will use the Microsoft Graph Explorer
There is a Graph API call aptly called findTenantInformationByTenantId (note that it uses Graph Beta)
https://graph.microsoft.com/beta/tenantRelationships/findTenantInformationByTenantId(tenantId='<ID>')
One I executed this call (tried this as admin in my test tenant and as a user in my work tenant – both worked) I got back the following information, containing the display name and domain name of the form’s tenant.
Seeing that this is indeed my employer’s tenant, my work is done here. But there’s one more thing we can do for the sake of completeness.
Step 3: Look up the form owner by ID [optional]
Let’s say, you have some questions to the author of the form, or actually you run into some errors and need to contact them. If they are in the same tenant as you, you could look them up in a similar manner using this API call:
https://graph.microsoft.com/beta/users/Of course, it would only work if you are in the same tenant – you can’t look up anyone willy-nilly 🙂
Closing thoughts.
Having validated that the form is indeed coming from my employer I put my sensitive data in confidently. Case closed!
I wish there was a simpler way to see where the form comes from, though, to establish trust. However, upon reflecting on how I would some this issue, I’ve realized that no HTML element on that form is fake-proof. Maybe, once decentralized solutions like MS Entra Verified ID become more popular there would be a way to generate a QR code for the form (with a digitally signed form URL/ID embedded into it) that one could independently scan to validate the URL (important to do it off-channel to prevent spoofing/interception), but I can’t imagine people scrupulously comparing all 30+ characters of that form id… Or Microsoft would have to offer an option for such sensitive forms to expose the tenant domain name in the URL explicitly (not sure how real is that and what other problems might arise).
Do you see a better solution? Write it here or in comments to the LinkedIn post!
Arsen Bandurian: Technical Blog 
Leave a comment