Sophisticated Phishing Scam Leverages Microsoft Sway and QR Codes

Credited by Pixabay

VTA-004492 – Sophisticated Phishing Scam Leverages Microsoft Sway and QR Codes

Cybersecurity experts are raising concerns about a new phishing campaign using QR codes, known as “quishing,” which leverages Microsoft Sway to host fake pages. This method highlights the ongoing abuse of trusted cloud services for malicious purposes.

Attackers use Microsoft Sway, a tool within Microsoft 365, to create fake pages that appear credible, as users are often already logged into their Microsoft accounts. This quishing campaign mainly targets users in Asia and North America, particularly in the technology, manufacturing, and finance sectors. Starting in July 2024, there has been a significant rise in phishing attempts using Sway to steal Microsoft 365 credentials by redirecting users to fake sites via QR codes.

The campaign also employs advanced techniques like adversary-in-the-middle (AitM) phishing to capture login details and two-factor authentication (2FA) codes. Some attackers have even used Cloudflare Turnstile to avoid detection by security systems.

A key challenge with quishing is that QR codes embed URLs in images, which can bypass traditional email scanners. Additionally, when users scan these codes on mobile devices, they are more vulnerable due to weaker security measures.

This is not the first time Microsoft Sway has been misused in phishing attacks. In April 2020, a similar campaign named “PerSwaysion” targeted high-ranking officials in various countries. As these quishing attacks grow more sophisticated, including the use of QR codes made from Unicode text characters, detecting and blocking them has become increasingly difficult.

Severity:
Medium

Attack Surface:
Cloud Service, Email, Mobile Application, Office 365, Web Application

Tactics:
Command and Control, Credential Access, Execution, Exfiltration, Impact, Initial Access

Techniques:
T1071: Application Layer Protocol
T1078: Valid Accounts
T1078.003: Valid Accounts: Cloud Accounts
T1203: Exploitation for Client Execution
T1189: Drive-by Compromise
T1193: Spear Phishing Link
T1110: Brute Force
T1036: Masquerading
T1553: Subvert Trust Controls
T1027: Obfuscated Files or Information

Indicator of Compromise:
https://otx.alienvault.com/pulse/66d030c031a3a7b5e4b97d43

References:
1. https://www.netskope.com/blog/phishing-in-style-microsoft-sway-abused-to-deliver-quishing-attacks

SuperPRO’s Threat Countermeasures Procedures: 
1) Only scan QR codes from trusted sources. If you receive a QR code via email or see one on a website, make sure you know and trust the sender or source before scanning it.
2) Look for indicators that a website is legitimate, such as a secure connection (indicated by “https” in the URL) and the correct domain name. Refrain from entering personal information on sites that seem suspicious or contain minor errors.
3) Configure URL filtering and threat protection policies to detect and block both known and unknown phishing sites.
4) Implement Remote Browser Isolation (RBI) technology for added protection when visiting high-risk websites, such as newly observed or registered domains.

Contributed by: Fatini