A QR phishing campaign targeting Office 365 users in North America and Asia abuses Microsoft Sway for hosting phishing pages, Netskope reports.
Also referred to as quishing, the technique relies on sending to the intended victims QR codes that would take them to a malicious website, where they would be asked to input their login information or be served malware.
In the quishing campaign observed by Netskope, victims were taken to phishing pages almost identical to the legitimate Microsoft login page, to convince them to reveal their credentials.
“Attackers instruct their victims to use their mobile devices to scan the QR code in hopes that these mobile devices lack the stringent security measures typically found on corporate issued ones, ensuring unrestricted access to the phishing site,” Netskope says.
In addition to QR phishing, what sets these attacks apart is the abuse of Sway, a free application within Microsoft 365 that allows users to share presentations with other Microsoft users. Sway pages can be shared as links or embedded into other websites as iframes.
When opening a Sway page, the victim uses the Microsoft account they are already logged into, adding to the apparent legitimacy of the recently observed attacks.
According to Netskope, while there has been almost no malicious traffic using Microsoft Sway since the beginning of the year, the quishing campaign resulted in a 2,000-fold increase in traffic to Sway phishing pages in July. All analyzed pages targeted Microsoft 365 accounts.
The attackers were also seen relying on Cloudflare Turnstile to protect their pages from online static URL scanners, and employing a transparent phishing technique, where the HTML code on the malicious page is almost identical to the one on the legitimate page.
“One difference is that all Microsoft login URLs are replaced with the phishing domain, thereby collecting login credentials and logging in on behalf of the victims,” Netskope notes.
The victims’ credentials were sent to a compromised website or to the same domain hosting the phishing site, and the victims were redirected to a legitimate domain to avoid suspicion.
“The phishing pages described in the post are easily recognizable by the domain pattern sway.cloud.microsoft. Users can avoid becoming victims of the attacks described in this post by checking the URL,” Netskope notes.
Related: New Phishing Technique Bypasses Security on iOS and Android to Steal Bank Credentials
Related: Western, Russian Civil Society Targeted in Sophisticated Phishing Attacks
Related: Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack
Related: Open Redirect Flaws in American Express and Snapchat Exploited in Phishing Attacks
