Microsoft logo on website showing QR code phishing

Massive QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials, 2FA Codes, Cookies

Threat actors are exploiting Microsoft Sway to advance a massive QR code phishing (quishing) campaign. Sway is a free Microsoft 365 presentation creation tool that allows users to create slideshows, newsletters, and documentation online.

The campaign became public knowledge when cybersecurity firm Netskope Threat Labs detected a monumental increase in Microsoft 365 credential-stealing attacks exploiting the online presentation platform.

“In July 2024, Netskope Threat Labs tracked a 2,000-fold increase in traffic to phishing pages delivered through Microsoft Sway,” the researchers said.

Netskope researchers observed threat actors behind the widespread phishing campaign employing various ingenious evasion tactics to bypass web security solutions.

QR code phishing campaign exploits Microsoft Sway, Cloudflare to evade detection

Threat actors send email-attached Microsoft Sway documents with embedded QR codes containing phishing URLs and encourage users to scan them.

When scanned, they redirect victims to malicious websites that steal their login credentials and then forward them to a legitimate website to avoid suspicion.

The QR code phishing campaign employs transparent phishing or adversary-in-the-middle (AitM) attacks to steal multi-factor authentication codes and security tokens or cookies for future attacks.

While the number of victims remained undisclosed, it primarily targets users in Asia and North America, typically working in the technology, manufacturing, and finance sectors.

According to Netskope Threat Labs researchers, the threat actors employ ingenious tactics to evade detection, including embedding the QR code in an image to bypass text-based email scanners.

“Since the URL is embedded inside an image, email scanners that can only scan text-based content can get bypassed,” noted the report.

Similarly, using logged-in Microsoft accounts convinces victims that they are accessing a legitimate website, thus lowering their guard for the next steps.

“By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves,” the researchers explained. “Additionally, a victim uses their Microsoft 365 account that they’re already logged-into when they open a Sway page, that can help persuade them about its legitimacy as well.”

“The abuse of Microsoft Sway in this campaign further emphasizes that threat actors have a ready-made, easy way to bypass many automated security controls – simply abuse a trusted sharing service,” warned Max Gannon, a Cyber Intelligence Team Manager at Cofense. “The most commonly abused Microsoft online services are typically OneNote, SharePoint, and Customer Voice. If Sway continues to be abused in campaigns like the one described that may change. Cofense has also observed an increase in campaigns using QR codes and abusing Microsoft Sway towards the end of July, most of which spoofed DocuSign.”

The malicious actors also used Cloudflare Turnstile to enhance the reputation of their phishing domains and bypass static URL scanners and web filtering services such as Google Safe Browsing.

In addition, they instruct the victims to use a secondary device, typically a mobile phone with limited security measures to avoid triggering malicious website alerts, typical of PCs with installed antivirus software and work devices with Endpoint Detection and Response (EDR) solutions.

“Attackers instruct their victims to use their mobile devices to scan the QR code in hopes that these mobile devices lack the stringent security measures typically found on corporate-issued ones, ensuring unrestricted access to the phishing site,” the researchers said.

Microsoft Sway abused in the past

Malicious actors have previously abused Microsoft Sway to carry out similar phishing attacks. In 2020, Group-IB researchers identified the PerSwaysion phishing campaign, which leveraged Microsoft Sway to target small and medium businesses and top executives. It targeted over 156 high-ranking officers in the United States, Canada, Germany, the UK, the Netherlands, Hong Kong, Singapore and other financial hubs.

Meanwhile, Netskope researchers advised users to check clicked URLs or type website domains directly into the browser’s address bar when accessing online applications to avoid falling for QR code and other phishing scams.

In addition, organizations should review their security policies to include web and cloud traffic scanning and filtering to prevent employees from accessing malicious websites.

“QR code-based phishing has recently become a major problem and seems unlikely to decline, recently Cofense research found a 331% increase in QR code active threat reports (ATRs),” Gannon concluded. “Using images rather than links also enables threat actors to abuse platforms that might have mitigation software in place for detecting embedded links to malicious content.