Friend
Professional
- Messages
- 2,661
- Reaction score
- 868
- Points
- 113
Mobile users were the most vulnerable to this attack.
In July 2024, Netskope discovered a sharp increase in phishing attacks that use Microsoft Sway to steal Microsoft 365 user credentials. The 2,000-fold increase in attacks was in stark contrast to the minimal activity in the first half of the year, underscoring the scale and severity of the campaign.
The attacks were aimed primarily at users in Asia and North America, with a particular focus on representatives of the technology, manufacturing, and financial sectors. The phishing emails redirected potential victims to pages hosted on the "sway.cloud.microsoft" domain, where users were asked to scan QR codes leading to malicious sites.
Attackers actively exploited the vulnerability of mobile devices, which is associated with weaker security measures compared to computers. This increased the likelihood of bypassing protection mechanisms and made it easier to access phishing sites. QR codes embedded in images also helped bypass automated email scanners that only check textual content.
Security researchers explained that users scanning QR codes using mobile devices become more vulnerable due to insufficient protection on these devices, especially when it comes to their personal smartphones.
In addition, the attackers used various tactics to improve the effectiveness of their campaign. For example, they used a transparent phishing technique that allowed them not only to steal credentials and multi-factor authentication codes, but also to show the victim the victim's real Microsoft login page, which reduced suspicion.
To disguise their phishing pages, the attackers also used the Cloudflare Turnstile tool, which protects sites from bots. This made it possible to hide malicious content from static crawlers and maintain the reputation of the domain at a high level, avoiding blocking by filtering services such as Google Safe Browsing.
It is worth noting that Microsoft Sway was already used in similar attacks five years ago, when during the PerSwaysion campaign, attackers tried to steal Office 365 credentials using a phishing kit offered as part of the malware-as-a-service model. At least 156 high-ranking officials from financial and legal companies, as well as real estate agencies in several countries, including the United States, Canada, Germany and the United Kingdom, were affected.
The latest wave of attacks once again highlights the need for increased attention to security and caution when interacting with suspicious emails and links, especially those that require scanning QR codes.
Source
In July 2024, Netskope discovered a sharp increase in phishing attacks that use Microsoft Sway to steal Microsoft 365 user credentials. The 2,000-fold increase in attacks was in stark contrast to the minimal activity in the first half of the year, underscoring the scale and severity of the campaign.
The attacks were aimed primarily at users in Asia and North America, with a particular focus on representatives of the technology, manufacturing, and financial sectors. The phishing emails redirected potential victims to pages hosted on the "sway.cloud.microsoft" domain, where users were asked to scan QR codes leading to malicious sites.
Attackers actively exploited the vulnerability of mobile devices, which is associated with weaker security measures compared to computers. This increased the likelihood of bypassing protection mechanisms and made it easier to access phishing sites. QR codes embedded in images also helped bypass automated email scanners that only check textual content.
Security researchers explained that users scanning QR codes using mobile devices become more vulnerable due to insufficient protection on these devices, especially when it comes to their personal smartphones.
In addition, the attackers used various tactics to improve the effectiveness of their campaign. For example, they used a transparent phishing technique that allowed them not only to steal credentials and multi-factor authentication codes, but also to show the victim the victim's real Microsoft login page, which reduced suspicion.
To disguise their phishing pages, the attackers also used the Cloudflare Turnstile tool, which protects sites from bots. This made it possible to hide malicious content from static crawlers and maintain the reputation of the domain at a high level, avoiding blocking by filtering services such as Google Safe Browsing.
It is worth noting that Microsoft Sway was already used in similar attacks five years ago, when during the PerSwaysion campaign, attackers tried to steal Office 365 credentials using a phishing kit offered as part of the malware-as-a-service model. At least 156 high-ranking officials from financial and legal companies, as well as real estate agencies in several countries, including the United States, Canada, Germany and the United Kingdom, were affected.
The latest wave of attacks once again highlights the need for increased attention to security and caution when interacting with suspicious emails and links, especially those that require scanning QR codes.
Source
