Cybersecurity researchers are calling consideration to a brand new QR code phishing (aka quishing) marketing campaign that leverages Microsoft Sway infrastructure to host faux pages, as soon as once more highlighting the abuse of respectable cloud choices for malicious functions.
“Through the use of respectable cloud purposes, attackers present credibility to victims, serving to them to belief the content material it serves,” Netskope Risk Labs researcher Jan Michael Alcantara mentioned.
“Moreover, a sufferer makes use of their Microsoft 365 account that they are already logged-into once they open a Sway web page, that may assist persuade them about its legitimacy as nicely. Sway can be shared by way of both a hyperlink (URL hyperlink or visible hyperlink) or embedded on a web site utilizing an iframe.”
The assaults have primarily singled out customers in Asia and North America, with know-how, manufacturing, and finance sectors being essentially the most sought-after sectors.
Microsoft Sway is a cloud-based software for creating newsletters, displays, and documentation. It’s a part of the Microsoft 365 household of merchandise since 2015.
The cybersecurity agency mentioned it noticed a 2,000-fold enhance in site visitors to distinctive Microsoft Sway phishing pages beginning July 2024 with the last word purpose of stealing customers’ Microsoft 365 credentials. That is achieved by serving bogus QR codes hosted on Sway that, when scanned, redirect the customers to phishing web sites.
In an extra try and evade static evaluation efforts, a few of these quishing campaigns have been noticed to make use of Cloudflare Turnstile as a strategy to disguise the domains from static URL scanners.
The exercise can also be notable for leveraging adversary-in-the-middle (AitM) phishing ways – i.e., clear phishing – to siphon credentials and two-factor authentication (2FA) codes utilizing lookalike login pages, whereas concurrently making an attempt to log the sufferer into the service.
“Utilizing QR codes to redirect victims to phishing web sites poses some challenges to defenders,” Michael Alcantara mentioned. “For the reason that URL is embedded inside a picture, e-mail scanners that may solely scan text-based content material can get bypassed.”
“Moreover, when a consumer will get despatched a QR code, they could use one other gadget, corresponding to their cell phone, to scan the code. For the reason that security measures applied on cellular gadgets, significantly private cell telephones, are sometimes not as stringent as laptops and desktops, victims are then typically extra weak to abuse.”
This isn’t the primary time phishing assaults have abused Microsoft Sway. In April 2020, Group-IB detailed a marketing campaign dubbed PerSwaysion that efficiently compromised company e-mail accounts of not less than 156 high-ranking officers at varied companies based mostly in Germany, the U.Ok., the Netherlands, Hong Kong, and Singapore by utilizing Sway because the leaping board to redirect victims to credential harvesting websites.
The event comes as quishing campaigns are getting extra subtle as security distributors develop countermeasures to detect and block such image-based threats.
“In a intelligent twist, attackers have now begun crafting QR codes utilizing Unicode textual content characters as a substitute of pictures,” SlashNext CTO J. Stephen Kowski mentioned. “This new approach, which we’re calling ‘Unicode QR Code Phishing,’ presents a big problem to traditional security measures.”
What makes the assault significantly harmful is the truth that it completely bypasses detections designed to scan for suspicious pictures, given they’re composed completely of textual content characters. Moreover, the Unicode QR codes could be rendered completely on screens sans any difficulty and look markedly totally different when considered in plain textual content, additional complicating detection efforts.
