Cybersecurity researchers are calling consideration to a brand new QR code phishing (aka quishing) marketing campaign that leverages Microsoft Sway infrastructure to host pretend pages, as soon as once more highlighting the abuse of respectable cloud choices for malicious functions.
“By utilizing respectable cloud purposes, attackers present credibility to victims, serving to them to belief the content material it serves,” Netskope Risk Labs researcher Jan Michael Alcantara mentioned.
“Moreover, a sufferer makes use of their Microsoft 365 account that they are already logged-into after they open a Sway web page, that may assist persuade them about its legitimacy as effectively. Sway can be shared by both a hyperlink (URL hyperlink or visible hyperlink) or embedded on an internet site utilizing an iframe.”
The assaults have primarily singled out customers in Asia and North America, with know-how, manufacturing, and finance sectors being essentially the most sought-after sectors.
Microsoft Sway is a cloud-based instrument for creating newsletters, displays, and documentation. It’s a part of the Microsoft 365 household of merchandise since 2015.
The cybersecurity agency mentioned it noticed a 2,000-fold enhance in visitors to distinctive Microsoft Sway phishing pages beginning July 2024 with the final word purpose of stealing customers’ Microsoft 365 credentials. That is achieved by serving bogus QR codes hosted on Sway that, when scanned, redirect the customers to phishing web sites.
In an additional try and evade static evaluation efforts, a few of these quishing campaigns have been noticed to make use of Cloudflare Turnstile as a option to conceal the domains from static URL scanners.
The exercise can be notable for leveraging adversary-in-the-middle (AitM) phishing ways – i.e., clear phishing – to siphon credentials and two-factor authentication (2FA) codes utilizing lookalike login pages, whereas concurrently making an attempt to log the sufferer into the service.
“Utilizing QR codes to redirect victims to phishing web sites poses some challenges to defenders,” Michael Alcantara mentioned. “Because the URL is embedded inside a picture, e-mail scanners that may solely scan text-based content material can get bypassed.”
“Moreover, when a person will get despatched a QR code, they might use one other gadget, reminiscent of their cell phone, to scan the code. Because the safety measures applied on cellular units, notably private cell telephones, are sometimes not as stringent as laptops and desktops, victims are then typically extra weak to abuse.”
This isn’t the primary time phishing assaults have abused Microsoft Sway. In April 2020, Group-IB detailed a marketing campaign dubbed PerSwaysion that efficiently compromised company e-mail accounts of no less than 156 high-ranking officers at varied companies primarily based in Germany, the U.Okay., the Netherlands, Hong Kong, and Singapore by utilizing Sway because the leaping board to redirect victims to credential harvesting websites.
The event comes as quishing campaigns are getting extra refined as safety distributors develop countermeasures to detect and block such image-based threats.
“In a intelligent twist, attackers have now begun crafting QR codes utilizing Unicode textual content characters as an alternative of pictures,” SlashNext CTO J. Stephen Kowski mentioned. “This new approach, which we’re calling ‘Unicode QR Code Phishing,’ presents a big problem to standard safety measures.”
What makes the assault notably harmful is the truth that it totally bypasses detections designed to scan for suspicious pictures, given they’re composed totally of textual content characters. Moreover, the Unicode QR codes may be rendered completely on screens sans any situation and look markedly totally different when considered in plain textual content, additional complicating detection efforts.
