Threat Research

“Stylish Phishing: Microsoft Sway Misused for Quishing Attacks”

Netskope

Netskope Threat Labs documented a 2,000-fold surge in phishing pages delivered via Microsoft Sway in July 2024, using QR codes (Quishing) to harvest Microsoft 365 credentials. Attackers relied on transparent phishing and Cloudflare Turnstile to evade detection and MFA safeguards, exploiting Sway’s free, shareable nature. #MicrosoftSway #Quishing #CloudflareTurnstile #TransparentPhishing #Microsoft365

Keypoints

  • Significant Increase in Phishing Traffic: A 2,000-fold increase in traffic to Microsoft Sway phishing pages was observed in July 2024.
  • Quishing Technique: Attackers used QR codes to redirect users to malicious sites, exploiting the familiarity of QR codes from the COVID-19 pandemic.
  • Targeted Credentials: The phishing campaigns primarily aimed at MS Office credentials, particularly from Microsoft 365 accounts.
  • Exploiting Microsoft Sway: The free access and shared nature of Sway made it an attractive target for attackers.
  • Use of Cloudflare Turnstile: This technique helped attackers avoid detection by static content scanners.
  • Transparent Phishing: Attackers mimicked legitimate login pages to collect user credentials while bypassing multi-factor authentication.
  • Recommendations for Users: Users are advised to verify URLs and access important sites directly to avoid phishing attempts.

MITRE Techniques

  • [T1566] Phishing (Spear Phishing) – Using QR codes to redirect users to phishing sites. “Utilizing QR codes to redirect users to phishing sites.”
  • [T1003] Credential Dumping – Collecting user credentials through transparent phishing techniques; attempting to log victims into services while collecting multi-factor authentication codes. “Collecting user credentials through transparent phishing techniques” and “Attempting to log victims into services while collecting MFA codes.”
  • [T1071] Explotation of Cloud Services – Abusing legitimate cloud applications like Microsoft Sway to deliver phishing content. “Abusing legitimate cloud applications like Microsoft Sway to deliver phishing content.”

Indicators of Compromise

  • [Domain] sway.cloud.microsoft – domain used to host phishing content and present Sway pages
  • [Domain] login.qr-code-generator.com – domain used to generate and host QR code-based phishing URLs
  • [URL] https://sway.cloud.microsoft/{16_alphanumeric_string}?ref={sharing_option} – example phishing page URL format

Read more: https://www.netskope.com/blog/phishing-in-style-microsoft-sway-abused-to-deliver-quishing-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint