Cybersecurity researchers are calling consideration to a brand new QR code phishing (aka quishing) marketing campaign that leverages Microsoft Sway infrastructure to host pretend pages, as soon as once more highlighting the abuse of professional cloud choices for malicious functions.
“By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves,” Netskope Risk Labs researcher Jan Michael Alcantara mentioned.
“Additionally, a victim uses their Microsoft 365 account that they’re already logged-into when they open a Sway page, that can help persuade them about its legitimacy as well. Sway can also be shared through either a link (URL link or visual link) or embedded on a website using an iframe.”
The assaults have primarily singled out customers in Asia and North America, with know-how, manufacturing, and finance sectors being probably the most sought-after sectors.
Microsoft Sway is a cloud-based software for creating newsletters, displays, and documentation. It’s a part of the Microsoft 365 household of merchandise since 2015.
The cybersecurity agency mentioned it noticed a 2,000-fold enhance in visitors to distinctive Microsoft Sway phishing pages beginning July 2024 with the last word aim of stealing customers’ Microsoft 365 credentials. That is achieved by serving bogus QR codes hosted on Sway that, when scanned, redirect the customers to phishing web sites.
In an additional try to evade static evaluation efforts, a few of these quishing campaigns have been noticed to make use of Cloudflare Turnstile as a method to cover the domains from static URL scanners.
The exercise can be notable for leveraging adversary-in-the-middle (AitM) phishing techniques – i.e., clear phishing – to siphon credentials and two-factor authentication (2FA) codes utilizing lookalike login pages, whereas concurrently trying to log the sufferer into the service.
“Using QR codes to redirect victims to phishing websites poses some challenges to defenders,” Michael Alcantara mentioned. “Since the URL is embedded inside an image, email scanners that can only scan text-based content can get bypassed.”
“Additionally, when a user gets sent a QR code, they may use another device, such as their mobile phone, to scan the code. Since the security measures implemented on mobile devices, particularly personal cell phones, are typically not as stringent as laptops and desktops, victims are then often more vulnerable to abuse.”
This isn’t the primary time phishing assaults have abused Microsoft Sway. In April 2020, Group-IB detailed a marketing campaign dubbed PerSwaysion that efficiently compromised company e mail accounts of no less than 156 high-ranking officers at numerous corporations based mostly in Germany, the U.Okay., the Netherlands, Hong Kong, and Singapore by utilizing Sway because the leaping board to redirect victims to credential harvesting websites.
The event comes as quishing campaigns are getting extra subtle as safety distributors develop countermeasures to detect and block such image-based threats.
“In a clever twist, attackers have now begun crafting QR codes using Unicode text characters instead of images,” SlashNext CTO J. Stephen Kowski mentioned. “This new technique, which we’re calling ‘Unicode QR Code Phishing,’ presents a significant challenge to conventional security measures.”
What makes the assault notably harmful is the truth that it fully bypasses detections designed to scan for suspicious photographs, given they’re composed fully of textual content characters. Moreover, the Unicode QR codes may be rendered completely on screens sans any situation and look markedly totally different when considered in plain textual content, additional complicating detection efforts.