Microsoft Sway is being exploited by a QR code phishing campaign to steal Microsoft 365 credentials

A massive QR code phishing campaign has been uncovered, exploiting Microsoft Sway to steal Microsoft 365 credentials. This campaign, identified by Netskope Threat Labs, marks a significant increase in attacks utilizing Microsoft Sway, highlighting the evolving tactics employed by cybercriminals.

QR code phishing campaign exploiting Microsoft Sway

The phishing campaign has primarily targeted users in Asia and North America, focusing on the technology, manufacturing, and finance sectors. Attackers have leveraged Microsoft Sway, a cloud-based platform for creating online presentations, to host malicious landing pages. These pages are designed to trick users into scanning QR codes, redirecting them to phishing sites that steal their credentials.

Tactics and techniques

The attackers have employed several sophisticated techniques to enhance the effectiveness of their campaign:

• QR code phishing: By embedding phishing URLs within images, attackers bypass email scanners that only analyze text-based content. Victims often scan the QR codes with mobile devices, which typically have weaker security protocols, increasing the likelihood of successful phishing attempts.
• Transparent phishing: This method involves stealing both the victim’s credentials and multi-factor authentication codes, logging them into their Microsoft account while displaying the legitimate login page. This tactic not only facilitates the theft of sensitive information but also makes the attack appear more credible to victims.
• Use of Cloudflare Turnstile: To evade detection, attackers have used Cloudflare Turnstile, a tool that conceals phishing content from static scanners. This approach helps maintain the reputation of the phishing domain and avoids blocking by web filtering services like Google Safe Browsing.

This campaign is reminiscent of the PerSwaysion phishing campaign from five years ago, which also targeted Office 365 credentials using Microsoft Sway. The resurgence of similar tactics underscores the need for ongoing vigilance and security measures to protect against evolving phishing threats.

Recommendations

To mitigate the risk of falling victim to such phishing campaigns, users are advised to:

• Be cautious of emails requesting personal information, especially if the sender’s domain does not match the company’s official domain.
• Avoid clicking on links or downloading files from unsolicited emails, even if they appear to come from trusted sources.
• Verify the legitimacy of URLs by hovering over links to check for mismatched web addresses.
• Be wary of emails with generic greetings or grammatical errors, as these can be indicators of phishing attempts.
• Utilize built-in email client protections to filter suspicious messages and block images unless approved.

The QR code phishing campaign exploiting Microsoft Sway highlights the persistent threat posed by cybercriminals and the importance of robust security practices. As attackers continue to refine their tactics, users must remain vigilant and proactive in protecting their digital identities.