Cybersecurity researchers have uncovered a new QR code phishing campaign, also known as quishing, that exploits Microsoft Sway to host fake pages, highlighting the continued abuse of legitimate cloud platforms for malicious purposes. This campaign primarily targets users in Asia and North America, with the technology, manufacturing, and finance sectors being the most affected.
The attackers leverage Microsoft Sway, a cloud-based tool within the Microsoft 365 suite, to create seemingly legitimate pages that prompt users to scan bogus QR codes. These codes redirect victims to phishing websites designed to steal their Microsoft 365 credentials. The use of Sway enhances the campaign’s credibility, especially since many users are already logged into their Microsoft accounts when accessing these pages.
Phishing is a very popular technique of attackers. They trick users into entering their credentials on some fraudulent site pretending to be a corporate login page, for example to log into Microsoft Entra ID. The user enters their login credentials there and sends them to the… pic.twitter.com/eBte9noXS9
— Lukas Beran (@lukasberancz) August 28, 2024
Notably, this campaign has seen a dramatic 2,000-fold increase in traffic to unique Microsoft Sway phishing pages since July 2024. To further evade detection, some campaigns have employed Cloudflare Turnstile to obscure domains from static URL scanners and have used adversary-in-the-middle (AitM) phishing tactics to intercept credentials and two-factor authentication (2FA) codes.
Jan Michael Alcantara of Netskope Threat Labs noted that the use of QR codes poses significant challenges to defenders, as the URL is embedded within an image, bypassing many text-based email scanners. Additionally, victims are often more vulnerable when scanning QR codes with mobile devices, which typically have less stringent security measures than desktops or laptops.
This isn’t the first time Microsoft Sway has been abused in phishing campaigns. In April 2020, a campaign dubbed PerSwaysion successfully compromised corporate email accounts of high-ranking officials by redirecting them to credential-harvesting sites via Sway.
As quishing campaigns grow more sophisticated, attackers have even started crafting QR codes using Unicode text characters instead of images, a technique that challenges conventional security measures by bypassing detections designed for suspicious images, said SlashNext CTO J. Stephen Kowski.
This evolving threat underscores the need for heightened vigilance and robust security measures in defending against phishing attacks.
Stay alert and ensure your systems and protocols are up to date to counter these sophisticated threats.
Sandhya Goswami
Sandhya is a contributing author at Cloudways, specializing in content promotion and performance analysis. With a strong analytical approach and a keen ability to leverage data-driven insights, Sandhya excels in measuring the success of organic marketing initiatives.
