Threat actors leverage Microsoft Sway to orchestrate QR code phishing campaigns


A new report from cybersecurity firm Netskope reveals details about attack campaigns that abuse Microsoft Sway and CloudFlare Turnstile and use QR codes to trick users into providing their Microsoft Office credentials to the phishing platform.

These campaigns have targeted victims in Asia and North America across multiple segments led by technology, manufacturing and finance.

What is quishing?

QR codes are a convenient way to navigate websites or access information without having to enter a URL on a smartphone. However, their use comes with a risk: cybercriminals can abuse them to lead victims to malicious content.

This process, called “quishing,” involves redirecting victims to malicious websites or enticing them to download harmful content by scanning a QR code. Once on the site, cybercriminals work to steal their personal and financial information. The design of QR codes makes it impossible for the user to know where the code will direct them after scanning it.

Thomas Damonneville, director of anti-phishing firm StalkPhish, told TechRepublic that quishing “is a growing trend” that “is very easy to use and makes it harder to verify whether content is legitimate.”

Quishing attacks via Microsoft Sway

In July 2024, Netskope Threat Labs discovered that traffic to phishing pages via Microsoft Sway had increased 2000-fold. Most malicious pages used QR codes.

Microsoft Sway-exclusive phishing page. Image: Netskope

Microsoft Sway is a free online Microsoft Office application that allows users to easily create presentations or other web-based content. The fact that the application is free makes it an attractive target for cybercriminals.

In the attack campaigns exposed by Netskope researcher Jan Michael Alcantara, victims are targeted with Microsoft Sway pages that lead to phishing attempts to obtain Microsoft Office credentials.

Another example of a Sway page containing a malicious QR code that leads to a phishing URL.
Example of a Sway page containing a malicious QR code that leads to a phishing URL. Image: Netskope

Netskope's research does not mention how the fraudulent links were sent to victims. However, it is possible to spread such links via email, social media, SMS or instant messaging software.

The final payload appears similar to the legitimate Microsoft Office login page, as exposed in a May 2024 post by the same researcher.

The final payload displays a fake Microsoft Office login page.
The final payload displays a fake Microsoft Office login page. Image: Netskope

Stealthier Attack with CloudFlare Turnstile

CloudFlare's Turnstile is a free tool that replaces captchas, which have been used in reported attack campaigns. This legitimate service allows website owners to easily add the necessary Turnstile code to their content, allowing users to simply click a verification code instead of solving a captcha.

CloudFlare Turnstile Fragment.
CloudFlare Turnstile snippet. Image: CloudFlare

From an attacker's perspective, using this free tool is attractive because it requires users to click on a CloudFlare turnstile before being redirected to the phishing page. This adds a layer of protection against attacker detection, as the final phishing payload is hidden from online URL scanners.

Man-in-the-middle phishing technique

Traditional phishing techniques typically collect credentials before displaying an error page or redirecting the user to the legitimate login page. This approach tricks users into believing that they have entered incorrect credentials, which is likely to lead them to ignore the fraud.

The man-in-the-middle phishing technique is more discreet. User credentials are collected and immediately used to log in to the legitimate service. This method, also called transparent phishing, allows for successful login after fraudulent credential theft, making the attack less visible.

Difficulties in detecting malicious QR codes

“No one can read a QR code with their own eyes,” Damonneville said. “You can only scan it with the right device, a smartphone. Some links can be so long that you can’t check the entire link, if you check it at all… But who checks links?”

Text-only detections are also ineffective against QR codes, as they are images. There is also no widespread standard for verifying the authenticity of a QR code. Security mechanisms such as digital signatures for QR codes are not commonly implemented, making it difficult to verify the source or integrity of the content.

How can you prevent a QR code from being phished?

However, many QR code readers offer a preview of the URL, allowing users to view it before scanning it. Any suspicion about the URL should prompt the user to not use the QR code. In addition:

  • QR codes that lead to actions such as logging in or providing information should be suspicious and carefully analyzed.
  • Security solutions can also help, as they can detect phishing URLs. URLs should always be scanned by such a tool.
  • Payments should not be made via QR code unless you are sure it is legitimate.

Microsoft Sway is not the only legitimate product that cybercriminals could use to host phishing pages.

“We see legitimate sites or applications being used to host quishing or phishing attacks on a daily basis, such as Github, Gitbooks or Google Docs for example,” Damonneville says. “Not to mention all the URL shorteners on the market or free hosting sites, which are widely used to easily hide a URL.”

This once again reinforces the idea that it is necessary to raise awareness among users and train employees to distinguish a suspicious URL from a legitimate one.

Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.

scroll to top