Hackers Exploit Microsoft Sway in New QR Code Phishing Campaign

Published: Aug 28, 2024

microsoft 365 hero approved

SHARE ARTICLE

Key Takeaways:

  • Cybersecurity researchers have identified a sophisticated phishing campaign that uses malicious QR codes to steal Office credentials by redirecting users to fake Microsoft Sway pages.
  • This campaign employs tactics like transparent phishing and Cloudflare Turnstile to bypass security measures and trick users.
  • It primarily affects victims in Asia and North America across sectors like manufacturing, technology, and finance.

Cybersecurity researchers have uncovered a new phishing campaign using malicious QR codes to steal Office credentials, potentially luring users into fake Microsoft Sway pages. This tactic allows hackers to deceive victims with convincing, yet fraudulent, login prompts, putting sensitive information at risk.

QR code phishing is a cyberattack where hackers create malicious QR codes that direct users to fake websites. These sites often appear legitimate and may ask for sensitive information like credit card details, personal data, or login credentials. Hackers can then use the stolen information for activities such as financial fraud, identity theft, and unauthorized account access.

Sway is a free Microsoft 365 app that lets users create dynamic, interactive presentations, newsletters, blogs, and resumes. It’s designed for easy and engaging content creation, with real-time collaboration features that allow multiple users to work on a project together simultaneously.

How does the QR code phishing campaign work?

The QR code phishing campaign was first spotted by Netskope Threat Labs in July 2024. It has primarily targeted victims in Asia and North America across various industries, including manufacturing, technology, and finance sectors.

Hackers exploit various sharing methods, like email, links, and Twitter, to direct users to phishing pages hosted on the sway.cloud.microsoft domain. These pages prompt victims to scan QR codes, which then lead them to other malicious websites.

“Attackers instruct their victims to use their mobile devices to scan the QR code in hopes that these mobile devices lack the stringent security measures typically found on corporate issued ones, ensuring unrestricted access to the phishing site,” the researcher explained. “These QR phishing campaigns employ two techniques from previous posts: the use of transparent phishing and Cloudflare Turnstile.”

Hackers Exploit Microsoft Sway in New QR Code Phishing Campaign
Sway page with QR code containing phishing URL (Image Credits: Microsoft)

The transparent phishing technique allows hackers to replicate the exact content of legitimate login pages to steal credentials. Additionally, some QR phishing campaigns use Cloudflare Turnstile to evade detection by static website scanners, making it harder for web filtering services to block the malicious domain and URL.

Recommendations

Researchers advise users to manually enter URLs into their web browsers instead of clicking on links to avoid phishing attacks. Organizations are urged to review their security policies and monitor all HTTP and HTTPS traffic to prevent employees from accessing malicious sites. Administrators should implement Remote Browser Isolation (RBI) technology for additional protection when visiting newly registered domains.

SHARE ARTICLE