Criminals continue to find ways to launch attacks using legitimate cloud platforms and services, and the latest tool to fall victim to bad actors is Microsoft Sway. Hackers are using the product to deliver malicious payloads to users via QR codes, tricking users into revealing their Microsoft 365 login credentials.
QR code phishing, or “quishing,” isn’t new. Still, this Microsoft Sway vulnerability is a fairly new issue affecting North American and Asia businesses.
What Is Microsoft Sway and Why Is It Under Attack?
Microsoft Sway is a cloud-based content creation tool included in Microsoft 365 subscriptions. Users can send newsletters, presentations, and other interactive content using Sway.
Hackers are using Sway and a QR code exploit to target user’s Microsoft credentials, which allows them to steal data and gain further access to protected networks. To launch the attack, threat actors create a Sway with a malicious QR code, hoping to trick the user into scanning the code. When they do, they redirect to a phishing attack landing page that appears identical to the Microsoft 365 login page.
At this point, if the victim enters their login credentials, including multi-factor authentication credentials, the hackers have the information they want.
The Danger of QR Code Exploits
Launching phishing attacks using Microsoft Sway is particularly effective for several reasons.
The attack is a form of so-called “transparent phishing.” Because users must log in to their Microsoft Sway accounts to access the content they receive from the hacker, they typically believe that the messages are legitimate and are more likely to open malicious pages. Everything appears in order, so they never suspect they’re handing their credentials to a hacker.
Another concerning aspect of this Microsoft Sway vulnerability is that many people scan malicious QR codes using their mobile devices. Most smartphones, especially personal devices, don’t have the same level of protection as computers, making it easier for threat actors to wreak havoc via QR codes.
Finally, QR codes are often impervious to Microsoft security tools and protocols. Most QR codes are JPG image files, so antivirus and malware detection tools cannot determine whether they contain malicious code. This allows them to slip through email protection programs undetected.
Cybercriminals are one step ahead even as security vendors develop new tools to scan images. Some create QR codes using Unicode text characters instead of images to thwart detection. In short, hackers are constantly adjusting to find ways to avoid detection and deliver malicious payloads to their victims.
How To Avoid These New Quishing Attacks
The best way to avoid falling victim to a quishing attack via Microsoft Sway is to continue following your best practices to prevent phishing attacks.