A Fresh QR Code Deception Operation Capitalizes on Microsoft Sway to Swipe Credentials
Experts in cybersecurity are drawing attention to a recent QR code deception (also known as quishing) strategy that exploits the Microsoft Sway framework to harbor counterfeit webpages, once again showcasing the misuse of legitimate cloud services for harmful intents.
“Through the use of legitimate cloud tools, attackers lend an air of authenticity to victims, making them more likely to trust the content being presented,” stated Jan Michael Alcantara, a researcher from Netskope Threat Labs mentioned.
“Furthermore, victims are more inclined to believe in the legitimacy of a Sway page when accessed via their already logged-in Microsoft 365 account. Sway can also be distributed through a hyperlink (URL link or visual link) or incorporated into a website utilizing an iframe.”
The onslaughts have predominantly targeted individuals in Asia and North America, with the technological, manufacturing, and financial domains being the prime focal points.
Microsoft Sway is a cloud-centered utility aimed at crafting newsletters, presentations, and documents. It has been a part of the Microsoft 365 suite of products since 2015.
The cybersecurity company noted a noteworthy surge of 2,000 times in visits to unique Microsoft Sway deceptive pages commencing July 2024 with the key objective of filching users’ Microsoft 365 access credentials. This is accomplished by serving deceptive QR codes harbored on Sway which, upon scanning, redirect the individuals to deceitful websites.
In a bid to outmaneuver static scrutiny attempts, certain quishing campaigns have resorted to utilizing Cloudflare Turnstile to conceal the domains from static URL scanners.
The operation is also conspicuous for adopting adversary-in-the-middle (AitM) phishing methodologies – in other words, transparent phishing – to abscond with credentials and two-factor verification (2FA) codes via pseudo login pages, while simultaneously attempting to log in the target to the service.
Michael Alcantara expressed, “Leveraging QR codes to reroute victims to deceptive websites poses some challenges to defenders. Since the URL is embedded within an image, email scanners restricted to scrutinizing text-based content can be circumvented.”
“Moreover, when a user is sent a QR code, they may opt to use another device, such as their mobile phone, to scan the code. Given that security protocols on mobile devices, especially personal smartphones, are generally not as stringent compared to laptops and desktops, victims are consequently more susceptible to exploitation.”
This is not the initial instance where phishing attacks have exploited Microsoft Sway. In April 2020, Group-IB delineated a campaign dubbed PerSwaysion which successfully infiltrated corporate email accounts of at least 156 high-ranking officials in various firms based in Germany, the U.K., the Netherlands, Hong Kong, and Singapore by utilizing Sway to redirect victims to credential-gathering websites.
This development unfolds as quishing operations grow more intricate whilst security vendors devise countermeasures to identify and obstruct such visual-based threats.
“In a cunning twist, hackers have recently begun constructing QR codes using Unicode text elements instead of images,” underscored J. Stephen Kowski, CTO of SlashNext pointed out. “This fresh tactic, known as ‘Unicode QR Code Phishing,’ presents a substantive obstacle to conventional security measures.”
What amplifies the danger of the breach is its ability to completely bypass detections engineered to scan for suspicious images, as they are formed entirely of textual characters. Furthermore, the Unicode QR codes can be flawlessly displayed on screens sans any glitches and appear strikingly distinct when viewed as plain text, adding yet another layer of complexity to detection efforts.
About Author
