A significant rise in QR code phishing incidents has leveraged Microsoft Sway, an online presentation tool, to lure Microsoft 365 users into giving away their credentials. Netskope Threat Labs has identified a 2,000-fold increase in these attacks, predominantly impacting sectors like technology, manufacturing, and finance in Asia and North America.
Microsoft Sway is a presentation program that allows you to create visually striking newsletters, presentations, and documentation in minutes. It's part of the Microsoft 365 family of products and makes it easy to combine text, images, and other media to create interactive and engaging content.
How Microsoft Sway is Being Exploited
Phishing emails are redirecting recipients to pages on the sway.cloud.microsoft domain. These pages prompt users to scan QR codes, which then lead to harmful websites. Attackers exploit the weaker security measures on mobile devices, making it easier to bypass protections and access phishing sites undetected.
Netskope highlights that embedding URLs in images helps phishing emails evade text-based email scanners. Additionally, users often scan QR codes with their smartphones, which typically have less stringent security compared to computers, increasing their susceptibility.
Sophisticated Phishing Strategies
The campaign employs advanced tactics to boost its success rate. It uses transparent methods to steal both login credentials and multi-factor authentication codes, signing victims into their Microsoft accounts while showing the legitimate login page. Furthermore, Cloudflare Turnstile is used to obscure phishing content from static scanners, helping maintain the phishing domain's good standing and avoiding blocks from services like Google Safe Browsing.
Microsoft Sway has been misused before, notably in the PerSwaysion phishing operation five years ago, which targeted Office 365 credentials. The campaign, uncovered by Group-IB, deceived at least 156 prominent figures in financial services, law firms, and real estate sectors, capturing the credentials of executives and directors in multiple countries including the U.S., Germany, and Hong Kong.