Analysis Summary

Researchers are alerting the public to a new campaign of QR code phishing, often known as quishing, which uses Microsoft Sway infrastructure to host phony websites. This underscores the misuse of trustworthy cloud services for malicious intent.

The researchers stated in a report, “By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves.”

A victim can also be convinced of the legitimacy of a Sway page by using their Microsoft 365 account, into which they are already logged in. Additionally, Sway can be shared via an iframe installed on a website or a link (URL or visual). The most sought-after industries for the attacks have been technology, manufacturing, and finance, focusing on users in North America and Asia.

Microsoft Sway is a cloud-based application that produces documentation, presentations, and newsletters. It has been a member of the Microsoft 365 product family since 2015. According to the cybersecurity company, starting in July 2024, traffic to specific Microsoft Sway phishing URLs increased by 2,000 times. The ultimate purpose of these attempts is to obtain users' Microsoft 365 credentials. This is accomplished by providing fake QR codes posted on Sway, which leads visitors to phishing websites upon scanning.

Some of these quishing attempts have been seen to use Cloudflare Turnstile to conceal the domains from static URL scanners in an additional attempt to elude static analysis efforts. The operation is noteworthy for its use of adversary-in-the-middle (AitM) phishing techniques, also known as transparent phishing, to attempt to log the victim into the service while simultaneously obtaining passwords and two-factor authentication (2FA) codes through the use of phony login pages.

Defendants have certain difficulties when victims are redirected to phishing websites via QR codes. Email scanners that are limited to scanning text-based content cannot access the URL since it is contained within an image. A user may also scan a QR code with a different device, such as their smartphone if they receive one. Victims are frequently more susceptible to exploitation because security measures on mobile devices—especially personal cell phones—are often less strict than those on laptops and desktop computers.

Phishing attempts have already exploited Microsoft Sway. There are published details of a campaign in April 2020 called PerSwaysion, which used Sway as a springboard to send victims to credential harvesting websites, effectively breaching the corporate email accounts of at least 156 high-ranking officers at different companies with locations in Germany, the U.K., the Netherlands, Hong Kong, and Singapore. The development coincides with the growing sophistication of quishing operations due to security providers creating countermeasures to identify and stop such image-based threats.

Attackers have recently started creating QR codes with Unicode text characters rather than images, which is a cunning twist. This new tactic is dubbed "Unicode QR Code Phishing", because it poses a serious threat to established security protocols. Because the assault just uses written characters instead of photos, it completely evades detections meant to look for suspicious images, which is what makes it so hazardous. Moreover, the Unicode QR codes appear much different when viewed in plain text and may render flawlessly on screens without any problems, which further complicates detection efforts.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Security Bypass

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement advanced email filtering and security solutions capable of detecting and blocking phishing emails, even those with QR codes.
• Configure email systems to block or quarantine emails containing suspicious attachments, especially those with executable files or embedded URLs.
• Educate employees about the importance of verifying the destination URL before scanning QR codes, especially in emails or messages from unknown sources.
• Encourage the use of QR code scanning apps that provide URL previews or other security features to help users make informed decisions.
• Enforce MFA for accessing sensitive accounts and systems, such as Microsoft 365 or other critical services.
• Ensure that all software, including operating systems, web browsers, and security software, is kept up to date with the latest security patches and updates to address vulnerabilities that attackers may exploit.
• Develop and maintain a comprehensive incident response plan that outlines the steps to take in the event of a phishing attack. This plan should include communication protocols, containment measures, and recovery strategies.
• Conduct regular security audits and penetration testing to identify vulnerabilities in your organization's systems and processes.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don't lose any critical information in the event of a malware infection or other data loss event.
• Utilize web filtering solutions and URL reputation services to block access to known malicious websites and prevent users from visiting potentially dangerous links.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to quickly respond to and mitigate any potential breaches.