The attacks were aimed mainly at users in Asia and North America, with attackers paying special attention to representatives of the technological, production, and financial sectors. Email messages redirected potential victims to pages on the “Sway.cloud.microsoft” domain, where they were prompted to scan QR codes leading to malicious sites.
Attackers exploited vulnerabilities in mobile devices, which often have weaker security measures compared to computers. This increased the likelihood of bypassing protective mechanisms and simplified access to phishing sites. By embedding QR codes in images, attackers were able to circumvent automatic email scanners that only check text content.
Security researchers highlighted the increased vulnerability of users scanning QR codes with mobile devices, particularly their personal smartphones due to inadequate protection measures.
Furthermore, attackers employed various tactics to enhance the effectiveness of their campaign. One such tactic was the use of transparent phishing, enabling them to steal accounting data and multifactor authentication codes while simultaneously displaying the victim a legitimate Microsoft sign-in page to lower suspicion.
To camouflage their phishing pages, attackers utilized the Cloudflare Turnstile tool, which shields sites from bots. This tactic helped conceal malicious content from static scanners and maintain a high domain reputation, avoiding detection and blocking from filtering services like Google Safe Browsing.
It is noteworthy that Microsoft Sway had been previously used in similar attacks five years ago during the PersWaySion campaign, where attackers attempted to pilfer Office 365 credentials using a phishing kit offered as part of the Malicious Service model (MAAS). At least 156 high-ranking individuals from financial, legal, and real estate companies in countries like the USA, Canada, Germany, and the UK fell victim to this campaign.
This recent surge in attacks underscores the importance of heightened vigilance and caution when dealing with suspicious emails and links, especially those that prompt QR code scanning.