Researchers observed a significant surge in phishing attacks targeting MS Office credentials via Microsoft Sway in July 2024, where attackers used QR codes to lure victims to malicious websites, employing transparent phishing and Cloudflare Turnstile to evade detection and bypass security measures.
These campaigns primarily targeted users in Asia and North America from various industries, emphasizing the need for enhanced security awareness and protection against sophisticated phishing tactics.
Microsoft Sway, a free Microsoft 365 application, is being exploited by attackers to distribute phishing content.
Its ease of access and integration with Microsoft accounts make it a tempting target for malicious campaigns, as it can increase the credibility of phishing attempts and deceive victims into trusting the content.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
This increase coincides with Microsoft’s decision to consolidate all of its cloud services under a single domain, which may indicate a change in the strategies employed by attackers.
Quishing is a phishing attack where attackers embed malicious URLs in QR codes.
Victims are lured into scanning these QR codes, which redirect them to fraudulent websites designed to steal personal information or infect their devices with malware.
It capitalized on the increased use of QR codes during the COVID-19 pandemic when people became accustomed to scanning them for various purposes.
Phishing campaigns are exploiting QR codes to bypass traditional email scanners and target mobile devices, which often have less stringent security measures.
Google Chrome and QR Code Generator PRO are being used to create these malicious QR codes, redirecting victims to phishing websites.
Phishing attackers use Cloudflare Turnstile to protect their malicious websites from static analysis tools that hide phishing payloads, prevent web filtering services from blocking them and maintain a good domain reputation.
Attacker-in-the-middle phishing is a more advanced technique than traditional phishing. It not only collects user credentials but also attempts to log the victim into the legitimate service, potentially bypassing multi-factor authentication, which allows attackers to steal sensitive tokens or cookies that can be used for further unauthorized access.
According to Netskope, Microsoft Sway has become a target for phishing attacks, where attackers use Cloudflare Turnstile to evade detection and collect credentials through transparent phishing.
Defenders should update their security controls to block the new Microsoft Sway domain.
To combat phishing attempts using sway.cloud.microsoft domains, users should verify URLs and directly access critical sites.
Organizations can leverage URL filtering, threat protection policies, and Remote Browser Isolation (RBI) for enhanced web and cloud traffic security.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial