A new QR code phishing operation exploits Microsoft Sway

A newly discovered QR code phishing operation exploits the cloud-based tool for generating online presentations called Microsoft Sway to host landing sites and deceive MS 365 users into providing their credentials.

According to reports, this massive phishing operation was initially discovered by researchers in July 2024 after they spotted a 2,000-fold spike in cyberattacks using Microsoft Sway to host malicious pages that steal Microsoft 365 credentials.

The threat actors who operate the campaign target consumers in Asia and North America, with the most targeted industries including finance, manufacturing, and technology.

 

The phishing landing pages contained a fake Microsoft Sway domain that unknown users would likely access after redirection.

 

An investigation into the new QR code phishing campaign revealed that the emails sent to potential victims could redirect them to a fake Microsoft Sway landing page on the sway.cloud.microsoft domain. Once arriving on the site, the campaign will prompt users to scan QR codes that lead to additional malicious websites.

Attackers frequently encourage victims to scan QR codes with their mobile devices, which typically have weaker security measures. This process increases the attackers’ chances of bypassing security solutions and allows victims to access phishing sites without limits.

Furthermore, the attackers use various strategies to increase the efficacy of their campaign, including transparent phishing, in which they acquire credentials and MFA tokens and use them to sign victims into their Microsoft accounts while displaying the actual login page.

They also used Cloudflare Turnstile, a tool for protecting websites from bots, so the threat actors could disguise the phishing material on their landing pages from static scanners, maintaining the phishing domain’s excellent reputation.

However, this is not the first time malicious entities have exploited Microsoft Sway since it was also abused during the PerSwaysion phishing effort. Five years ago, this attack targeted Office 365 login credentials via a phishing kit provided by a malware-as-a-service (MaaS) organisation.

Researchers reported at the time that the assaults fooled at least 156 high-ranking executives from small and medium-sized financial services companies, legal firms, and real estate groups.

Users should be careful of these phishing tactics and avoid scanning QR codes on unknown websites and landing pages. Knowing about such threats will likely prevent users from falling victim to them and protect their data from hackers.