Cybercriminals are using Microsoft Sway to host landing pages used in phishing campaigns, experts say.
The attack was detected by cybersecurity researchers at Netskope Threat Labs, who observed a 2,000-fold increase in exploits in July 2024.
You might be forgiven for not knowing what Sway is. It's a niche product from Microsoft, a cloud-based presentation and storytelling tool that people can use to create interactive reports, slideshows, newsletters, and other similar content. It's part of the Microsoft Office suite and can be accessed through the browser.
Transparent Phishing
Netskope discovered that anonymous threat actors were using Sway to create presentations containing a QR code. This code redirected victims to a phishing page that looked like a Microsoft 365 login site. Those who fell for the trick ended up revealing their login credentials.
This is not the first time hackers have been seen using QR codes in phishing attacks. As a QR code is usually an image file (.JPG), it cannot be scanned by antivirus tools and can therefore bypass different email protection services. Furthermore, a QR code is usually read via a smartphone (as it is easier to point the phone's camera at it rather than a laptop), which generally have weaker protections compared to computers. Cybercriminals have been using QR codes for years.
However, this campaign also employs something called “transparent phishing,” a method in which the victim logs into the legitimate site while simultaneously transmitting stolen credentials (including MFA codes) to the criminals.
Victims are primarily located in Asia and North America and work in technology, manufacturing and financial industries.
Cybercriminals are constantly evolving their phishing tactics, but the defense strategy remains the same: be alert and skeptical of any incoming email message, especially those that convey a sense of urgency.
Through Computer beeping
