Microsoft Sway Abused to Deliver Quishing Attacks
On August 27, 2024, Netskope Threat Labs reported a surge in traffic to phishing pages hosted on Microsoft Sway, a free web-based application within the Microsoft 365 suite. These phishing campaigns predominantly employed "Quishing," a technique using QR codes
Introduction
On August 27, 2024, Netskope Threat Labs reported a surge in traffic to phishing pages hosted on Microsoft Sway, a free web-based application within the Microsoft 365 suite. These phishing campaigns predominantly employed "Quishing," a technique using QR codes to lure victims into revealing their credentials. They targeted Microsoft Office users across Asia and North America, with a particular focus on the Technology, Manufacturing, and Finance sectors.
Report Overview
Microsoft Sway, designed to help users create visually appealing presentations, has become a new favourite for cybercriminals due to its free access and inherent credibility associated with Microsoft's ecosystem. The attackers cleverly leveraged Sway's legitimate domain and user interface to host phishing pages, thereby increasing their chances of tricking users into entering their login credentials.
Over the past six months, traffic to malicious Sway pages has remained minimal. However, a significant spike in July 2024 triggered a thorough investigation by Netskope Threat Labs, revealing that these pages were not only targeting Microsoft 365 accounts but also part of a sophisticated phishing campaign.
The phishing campaigns uncovered by Netskope Threat Labs use several advanced techniques to bypass traditional security measures. One of the primary methods was "Quishing," which involved embedding malicious URLs within QR codes. This tactic exploits users' growing comfort with scanning QR codes, a habit popularized during the COVID-19 pandemic for contactless interactions.
The QR codes used in these attacks were generated using tools like Google Chrome and QR Code Generator PRO. Once scanned, they redirected victims to malicious websites mirrored legitimate Microsoft 365 login pages. Attackers capitalized on the relatively weaker security protocols of personal mobile devices, which users often employ to scan QR codes, to bypass corporate security measures.
Another technique employed was transparent phishing. This method involves presenting the victim with a phishing page that visually and functionally replicates a legitimate login page. In this case, the phishing pages were almost indistinguishable from the actual Microsoft 365 login interface, with one key difference: all legitimate URLs were replaced with the phishing domain, allowing attackers to collect the victims' credentials.
To further avoid detection, some campaigns integrated Cloudflare Turnstile, a CAPTCHA-like service, to prevent static URL scanners from analyzing the phishing payload. This technique ensured that the phishing domain maintained a good reputation, bypassing web filtering services and allowing the malicious campaign to continue undetected for longer periods.
Insights and Analysis
By targeting Microsoft 365 accounts, the attackers potentially accessed sensitive corporate information, putting organizations across various industries at risk. The use of transparent phishing and the ability to bypass multi-factor authentication (MFA) significantly increases the threat level, as it affects not only the initial login credentials but also any associated security tokens.
Victims of these attacks may unknowingly grant attackers access to their accounts, leading to data breaches, financial losses, and reputational damage. The broad targeting of industries like technology, manufacturing, and finance indicates that the attackers strategically target sectors with high-value data and assets.
The exploitation of Microsoft Sway in these phishing campaigns highlights the need for heightened caution and updated security measures. As attackers continue to innovate, leveraging legitimate cloud-based applications like Sway, organizations must stay ahead by implementing comprehensive security strategies.
To mitigate the risks associated with these phishing attacks, we recommend improving user awareness, including the possibility of trusted relationship abuse, such as leveraging legitimate applications for destructive purposes. Continuous education on the risks associated with QR code scanning and phishing techniques can help reduce the likelihood of successful attacks. However, because the human element accounts for 80% of all issues, a strong security culture, specifically in self-reporting without punishment, can help reduce the impact of an incident if a user reports quickly enough.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| hxxps://sway.cloud[.]microsoft/itPRuwnKjkATyKUR?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/T0yF99kFP1KAoquD?ref=Link&loc=mysways | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/ntDdZK6JoKgvMqNU?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/IUbqaHWqUH6C5eAW?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/CxF8QqYpUv9r0Vx0?ref=Link&loc=play | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/AnGIKbMo1Bq8iTGH?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/aETxkd7BuvhId4sF?ref=Link&loc=play | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/RcSS1NyUsTAQ4GbQ?ref=Link&loc=play | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/PkAKyuZ7HsxLhVA5?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/VB7PWySCwoKy4Mvc | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/vL0rhxc8x4I16Lwh?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/lAsxBmdzUG5VXXav?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/DmxuQNgtqLKxUmHE?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/IUbqaHWqUH6C5eAW?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/CxF8QqYpUv9r0Vx0?ref=Link&loc=play | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/05LIlwBFn0qWED6i?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| hxxps://sway.cloud[.]microsoft/IzK05FqeCrAXEVo7?ref=Link | URL | Malicious URL hosted on Microsoft Sway, used for phishing |
| login.msofficeopt[.]nl | Domain | Phishing domain used in campaigns targeting Microsoft 365 users |
| gdu.msofficeopt[.]nl | Domain | Phishing domain used in campaigns targeting Microsoft 365 users |
| ffnthost365[.]cfd | Domain | Phishing domain used in campaigns targeting Microsoft 365 users |
| nedttis365[.]xyz | Domain | Phishing domain used in campaigns targeting Microsoft 365 users |
| msntntion0[.]cfd | Domain | Phishing domain used in campaigns targeting Microsoft 365 users |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing | T1566 | This technique involves the use of phishing to gain initial access to a victim's environment. Attackers often send emails with malicious links or attachments that lead to the compromise of systems. |
| Defense Evasion | Abuse Elevation Control Mechanism: Bypass User Account Control | T1548.002 | The phishing campaigns mentioned use techniques like Cloudflare Turnstile to evade detection by static analysis tools and web filters. |
| Credential Access | Phishing for Information: User Execution | T1534 | The attackers use QR codes in phishing campaigns to trick users into visiting malicious sites and entering their credentials. |
| Defense Evasion | Abuse Elevation Control Mechanism: Transparent Phishing | T1562.001 | The phishing campaigns utilize transparent phishing to bypass multi-factor authentication (MFA) and other security measures. |
| Initial Access | Trusted Relationship | T1199 | Exploiting trusted relationships between users and cloud services like Microsoft Sway to deliver phishing content. |
References
Jan Michael Alcantara
Comments ()