A new phishing campaign that centers on exploiting Microsoft’s Sway presentation service is making the rounds, and it is noteworthy in both its scope and sophistication. Though the perpetrators appear to be relatively small groups of cyber criminals not affiliated with any nation-state groups, they are making use of sophisticated techniques to avoid automated phishing defenses. Previously unrelated criminal groups also appear to be coordinating their efforts for maximum effectiveness.
The targets are C-suite executives at a wide range of organizations around the world. Over 156 high ranking officers have been compromised thus far, but the nature of the attacks is such that many may not be aware of a breach. The attacks have been spotted in a number of different industries throughout the world, but the primary interest appears to be in countries that are home to the world’s largest financial hubs.
How the PerSwaysion phishing campaign works
The PerSwaysion phishing campaign was discovered by Group-IB Threat Intelligence of Singapore. The team’s investigation has revealed that the campaign dates back to at least August 2019 and that the primary targets have been small to mid-size financial services companies, law firms, and real estate groups. Though the attacks are global and opportunistic, the highest number have been seen in the United States, Canada, and in various financial centers throughout Asia and Europe.
The phishing campaign chains together exploits that work through various Microsoft cloud-based services: Sway, OneNote and Sharepoint. The goal is to redirect targets to attack sites that closely simulate the authentic Microsoft sources, gradually walking the victim into entering their Office 365 login credentials.
The attack unfolds in three phases. In the initial phase, the target receives an email that appears to come from a legitimate business contact. This email contains a malicious .PDF attachment shared via Office 365. When the target clicks on the “read now” link, they are redirected to a phishing site that closely resembles the authentic Office 365 file sharing site. A key to making the attack site look real is the abuse of a security flaw in Sway that allows attackers to create a presentation page with a borderless view that hides identifying information like the URL bar.
The victim clicks another “read now” link on this fake file sharing page, which redirects them to another attack site convincingly designed to look like a legitimate Microsoft Single Sign-On page. Here the victim is enticed to enter their Office 365 login.
The scammers appear to be moving very quickly once the login credentials are harvested. The phishing site is set up to send them an instant notification by email, and the attackers generally access the account within six hours. Once inside, they immediately connect to the target’s corporate email server and dump email data using IMAP APIs. They then exploit the compromised account to generate new phishing PDFs and send them to the victim’s contacts within 24 hours. The attackers wipe the phishing campaign emails from the compromised account immediately after they are sent, so it is possible that someone who is breached would see no evidence of it in their inbox.
The attackers are not arbitrary in their selection of future victims. They appear to comb through compromised accounts looking for new targets that are outside of the victim’s organization. They also specifically look for upper-level executives in these companies, possibly doing research on LinkedIn to confirm their job titles. This is likely why the new attempts from a compromised account can sometimes take nearly a full day to manifest.
The researchers are still not clear on what the endgame for all of this stolen information is, but there are a number of possibilities. Confidential and sensitive business data could simply be sold on the black market, as could the compromised logins to other criminals looking to execute business email compromise or some similar financial scheme.
Sophisticated evasion of phishing defense systems
The use of legitimate file sharing sites allows for an authentic-looking preview image of the attachments to be generated, further simulating the user experience of the real Microsoft file sharing services. The phishing sites are also separated from the Cloudflare-hosted data harvesting backend servers, so that when a site is blacklisted another can be deployed under a different domain name with minimal disruption to the phishing campaign.
PerSwaysion appears to be a phishing kit sold on the underground markets by a Vietnamese source. Multiple groups of threat actors appear to be working together to operate it on a sort of “software as a service” model, based primarily out of Nigeria and South Africa.
Defending against the PerSwaysion phishing campaign
Though PerSwaysion is better at mimicry of login pages and at evading automated defenses than the usual phishing campaign, it still sends up some telltale warning signs. One of the biggest is that the sender and receiver fields of the initial email both contain the sender’s address. The subject field also only contains the company’s full name, and the first sentence of the email body has “+” signs in place of the normal spaces between words. The phishing PDF files also contain some long strings of random text in a white font color, which can be made visible by highlighting the pages.
If the victim fails to notice these quirks and clicks through to the sign-on page, there is one final warning: it lists the revision number as 6.7.6640.0, which is an outdated version from 2017. Erich Kron, security awareness advocate at KnowBe4, also observes that organizations should be training employees to verify that an authentic URL is visible before entering login credentials: “The most effective way to defend against these attacks is to ensure everyone in the organization, even the top leadership, has been trained to spot and report phishing attacks and receives simulated phishing attacks on a regular basis so they can perfect their spotting skills without endangering the organization. It is important to stress that whenever you are redirected to a login page, you should always look at the browser URL bar to ensure you are at the real login site for that service, not a fake.”