Cybersecurity researchers are calling consideration to a brand new QR code phishing (aka quishing) marketing campaign that leverages Microsoft Sway infrastructure to host pretend pages, as soon as once more highlighting the abuse of respectable cloud choices for malicious functions.
“Through the use of respectable cloud purposes, attackers present credibility to victims, serving to them to belief the content material it serves,” Netskope Risk Labs researcher Jan Michael Alcantara mentioned.
“Moreover, a sufferer makes use of their Microsoft 365 account that they are already logged-into after they open a Sway web page, that may assist persuade them about its legitimacy as nicely. Sway will also be shared by way of both a hyperlink (URL hyperlink or visible hyperlink) or embedded on a web site utilizing an iframe.”
The assaults have primarily singled out customers in Asia and North America, with expertise, manufacturing, and finance sectors being essentially the most sought-after sectors.
Microsoft Sway is a cloud-based device for creating newsletters, displays, and documentation. It’s a part of the Microsoft 365 household of merchandise since 2015.
The cybersecurity agency mentioned it noticed a 2,000-fold improve in visitors to distinctive Microsoft Sway phishing pages beginning July 2024 with the final word aim of stealing customers’ Microsoft 365 credentials. That is achieved by serving bogus QR codes hosted on Sway that, when scanned, redirect the customers to phishing web sites.
In an extra try to evade static evaluation efforts, a few of these quishing campaigns have been noticed to make use of Cloudflare Turnstile as a approach to cover the domains from static URL scanners.
The exercise can also be notable for leveraging adversary-in-the-middle (AitM) phishing techniques – i.e., clear phishing – to siphon credentials and two-factor authentication (2FA) codes utilizing lookalike login pages, whereas concurrently trying to log the sufferer into the service.
“Utilizing QR codes to redirect victims to phishing web sites poses some challenges to defenders,” Michael Alcantara mentioned. “For the reason that URL is embedded inside a picture, electronic mail scanners that may solely scan text-based content material can get bypassed.”
“Moreover, when a person will get despatched a QR code, they might use one other gadget, corresponding to their cell phone, to scan the code. For the reason that safety measures carried out on cellular gadgets, significantly private cell telephones, are usually not as stringent as laptops and desktops, victims are then typically extra susceptible to abuse.”
This isn’t the primary time phishing assaults have abused Microsoft Sway. In April 2020, Group-IB detailed a marketing campaign dubbed PerSwaysion that efficiently compromised company electronic mail accounts of at the least 156 high-ranking officers at numerous corporations based mostly in Germany, the U.Okay., the Netherlands, Hong Kong, and Singapore through the use of Sway because the leaping board to redirect victims to credential harvesting websites.
The event comes as quishing campaigns are getting extra subtle as safety distributors develop countermeasures to detect and block such image-based threats.
“In a intelligent twist, attackers have now begun crafting QR codes utilizing Unicode textual content characters as a substitute of photographs,” SlashNext CTO J. Stephen Kowski mentioned. “This new approach, which we’re calling ‘Unicode QR Code Phishing,’ presents a major problem to standard safety measures.”
What makes the assault significantly harmful is the truth that it fully bypasses detections designed to scan for suspicious photographs, given they’re composed fully of textual content characters. Moreover, the Unicode QR codes could be rendered completely on screens sans any difficulty and look markedly completely different when considered in plain textual content, additional complicating detection efforts.