Phishing attacks continue to be a serious concern in the cybersecurity landscape, with cybercriminals constantly devising new techniques to deceive unsuspecting victims. One such technique gaining prominence is QR code phishing, also known as quishing. Researchers have identified a recent phishing campaign that exploits Microsoft Sway, a cloud-based tool utilized for creating newsletters, presentations, and documentation. This highlights the growing trend of cybercriminals abusing legitimate cloud applications for malicious purposes.
By leveraging Microsoft Sway infrastructure, attackers are able to host fake pages that appear legitimate and trustworthy to victims. The use of legitimate cloud applications provides credibility to the content being served, making it more convincing for users. Additionally, victims often access Sway pages using their already logged-in Microsoft 365 accounts, further enhancing the perceived legitimacy. Sway pages can be shared through links or embedded on websites, making them easily accessible to potential victims.
The primary targets of this phishing campaign have been users in Asia and North America, with industries such as technology, manufacturing, and finance being the most sought-after sectors. The goal of these attacks is to steal users’ Microsoft 365 credentials, which can provide cybercriminals with unauthorized access to sensitive information and resources.
Netskope Threat Labs, a cybersecurity firm, has observed a significant increase in traffic to unique Microsoft Sway phishing pages since July 2024. The attackers achieve their objective by distributing QR codes that redirect users to phishing websites when scanned. To evade static analysis efforts, some of these quishing campaigns have employed Cloudflare Turnstile to conceal the domains from static URL scanners.
What sets this phishing campaign apart is the utilization of adversary-in-the-middle (AitM) phishing tactics, also known as transparent phishing. In this approach, cybercriminals employ lookalike login pages to trick users into disclosing their credentials and two-factor authentication (2FA) codes. Simultaneously, the attackers attempt to log the victim into the legitimate service, further enhancing the illusion of legitimacy.
Using QR codes as a means to redirect victims to phishing websites presents challenges for defenders. Since the URL is embedded within an image, email scanners that rely on text-based content may fail to detect the malicious intent. Moreover, users often scan QR codes using mobile devices, which are typically less stringent in terms of security measures compared to laptops and desktop computers. This makes victims more vulnerable to abuse.
Interestingly, this is not the first instance of Microsoft Sway being exploited by phishing attacks. In April 2020, a campaign named PerSwaysion successfully compromised corporate email accounts of high-ranking officers in various countries by utilizing Sway as a redirection tool to credential harvesting sites.
As security vendors continually develop countermeasures to detect and block image-based threats, quishing campaigns are becoming more sophisticated. In response, cybercriminals have begun using Unicode text characters to craft QR codes, a technique known as “Unicode QR Code Phishing.” This poses a significant challenge to conventional security measures since these text-based QR codes bypass detections designed to scan for suspicious images. Furthermore, they can be rendered perfectly on screens without any issues and appear significantly different when viewed in plain text, making them harder to detect.
In conclusion, the rise of QR code phishing campaigns that exploit legitimate cloud applications like Microsoft Sway demonstrates the adaptability and creativity of cybercriminals. As the cybersecurity landscape evolves, it is crucial for individuals and organizations to remain vigilant and adopt robust security measures to detect and prevent phishing attacks. Regular security awareness training, multifactor authentication, and the use of advanced threat detection technologies can significantly mitigate the risk of falling victim to such malicious campaigns.
Source link