Once more Cybersecurity researchers are pointing out another QR code phishing (otherwise known as quishing) effort that use Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes.
Jan Michael Alcantara, a researcher at Netskope Threat Labs, stated, “By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves.”
“Moreover, a victim uses their Microsoft 365 account that they’re already logged-into when they open a Sway page that can help persuade them about its legitimacy as well. Sway can also be shared through either a link (URL link or visual link) or embedded on a website utilizing an iframe.”
The attacks have essentially singled out clients in Asia and North America, with innovation, assembling, and finance sectors being the most sought-after sectors.
Microsoft Sway is a cloud-based device for making bulletins, introductions, and documentation. It is important for the Microsoft 365family of products since 2015.
The cybersecurity firm said it noticed a 2,000-fold increase in traffic to unique Microsoft Sway phishing pages starting July 2024 with the ultimate goal of stealing users’ Microsoft 365 credentials. This is achieved by serving bogus QR codes hosted on sway that, when scanned; redirect the users to phishing websites.
In a further endeavor to evade static analysis efforts, some of these quishing campaigns have been observed to use Cloudflare Turnstile as a method for concealing the domains from static URL scanners.
Also notable is the use of transparent phishing, also known as adversary-in-the-middle (AitM) phishing, to siphon credentials and two-factor authentication (2FA) codes from lookalike login pages and simultaneously attempt to log the victim into the service.
Michael Alcantara stated, “Defendants face some challenges when using QR codes to redirect victims to phishing websites.” Since the URL is implanted inside a picture, email scanners that can check text-based content can get circumvent.”
“Furthermore, when a client gets sent a QR code, they might utilize another gadget, like their cell phone, to filter the code. Since the safety efforts executed on cell phones, especially private PDAs, are normally not so severe as workstations and work areas, casualties are then frequently more powerless against misuse.”
This is not the first time phishing attacks have abused Microsoft Sway. In April 2020, Group-IB detailed a campaign dubbed PerSwaysion that successfully compromised corporate email accounts of at least 156 high-ranking officers at various firms based in Germany, the U.K., the Netherlands, Hong Kong, and Singapore by using Sway as the jumping board to redirect victims to credential harvesting sites.
The development occurs at a time when image-based quishing campaigns are becoming increasingly sophisticated as security vendors develop measures to block and detect them.
“In a cunning turn, attackers have now begun crafting QR codes using Unicode text characters instead of images,” SlashNext CTO J. Stephen Kowski said. “This new technique, which we’re calling ‘Unicode QR Code Phishing,’ presents a significant challenge to conventional security measures.”
What makes the attack especially hazardous is the way that it altogether bypasses detections designed to scan for suspicious images, given they are composed entirely of text characters. Furthermore, the Unicode QR codes can be rendered perfectly on screens sans any issue and look markedly different when viewed in plain text, making detection efforts even more challenging.
