Netskope Report Details Exponential Increase in Microsoft Sway QR Code Phishing

Summary

On 27 August 2024, Cybersecurity researchers from Netskope released a new report calling attention to a new QR code phishing, also known as quishing, campaign that leverages Microsoft Sway infrastructure to host fake pages, highlighting the abuse of legitimate cloud offerings for malicious purposes.

In July 2024, Netskope Threat Labs tracked a 2,000-fold increase in traffic to phishing pages delivered through Microsoft Sway. The quishing campaigns targeted MS Office credentials, using documents to bait users into logging in, and have targeted victims mainly in Asia and North America across multiple segments led by Technology, Manufacturing, and Finance.

Recommendations and Indicators of Compromise (IOCs) have been provided by Netskope and are attached from RH-ISAC Member convenience.

Community Impact

The developments from the Netskope report come as quishing campaigns are becoming more sophisticated as security vendors develop countermeasures to detect and block such image-based threats. This activity remains crucial for attackers leveraging adversary-in-the-middle phishing tactics to siphon credentials and two-factor authentication (2FA) codes using lookalike login pages, while simultaneously attempting to log the victim into the service. This activity remains a novel and rising threat for multiple sectors, including retail and hospitality. RH-ISAC Members are encouraged to review the intelligence included in the report, linked above, and apply the mitigation and IOCs within your technical environment.

Background

Sway is a free application within Microsoft 365 that helps Microsoft users present ideas with a web-based canvas, meaning anyone with a Microsoft account can send presentations without cost. This free access, however, makes it appealing to attackers for abuse, as Netskope has observed previously about attackers’ propensity to use free cloud applications. By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves.

A majority of the phishing campaigns analyzed by Netskope used QR Code phishing, or quishing. Using QR codes to redirect victims to phishing websites poses some challenges to defenders. Since the URL is embedded inside an image, email scanners that can only scan text-based content can get bypassed. Additionally, when a user receives a QR code, they may use another device, such as their mobile phone, to scan the code. Since the security measures implemented on mobile devices, particularly personal cell phones, are typically not as stringent as laptops and desktops, victims are then often more vulnerable to abuse. Some Quishing campaigns use Cloudflare Turnstile as an additional layer of protection against static website scanners. Similar to previously disclosed phishing campaigns from Netskope, attackers abuse Cloudflare Turnstile so the phishing payload will be hidden from online static URL scanners. This technique prevents the domain and URL from having a bad domain reputation, so it won’t be blocked by web filtering services.

After passing the CAPTCHA test from Turnstile, the Microsoft 365 phishing page employs a transparent phishing technique. The HTML code is almost identical to the legitimate Microsoft 365 login page. One difference is that all Microsoft login URLs are replaced with the phishing domain, thereby collecting login credentials and logging in on behalf of the victims. The phishing page collects the credentials provided by the victim and sends them either to another compromised website, or the same domain hosting the phishing site. Afterward, they may be redirected to a legitimate website to avoid suspicion.

Recommendations

The phishing pages described, according to the Netskope report, are easily recognizable by the domain pattern sway[.]cloud[.]microsoft. Users can avoid becoming victims of the attacks described in this post by checking the URL. Users should always access important pages, such as their banking portal or webmail, by typing the URL directly into the web browser instead of using search engines or clicking any other links.

Netskope Threat Labs recommends that organizations review their security policies to ensure that they are adequately protected against these and similar phishing pages and scams:

• Inspect all HTTP and HTTPS traffic, including all web and cloud traffic, to prevent users from visiting malicious websites. Netskope customers can configure their Netskope NG-SWG with a URL filtering policy to block known phishing and scam sites, and a threat protection policy to inspect all web content to identify unknown phishing and scam sites using a combination of signatures, threat intelligence, and machine learning.
• Use  Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like Newly Observed and Newly Registered Domains.

Indicators of Compromise

The following IOCs have been provided by Netskope via their public GitHub repository:

• [https://sway.cloud[.]microsoft/itPRuwnKjkATyKUR?ref=Link]sway.cloud[.]microsoft/itPRuwnKjkATyKUR?ref=Link
• [https://sway.cloud[.]microsoft/T0yF99kFP1KAoquD?ref=Link&loc=mysways]sway.cloud[.]microsoft/…
• [https://sway.cloud[.]microsoft/ntDdZK6JoKgvMqNU?ref=Link]sway.cloud[.]microsoft/ntDdZK6JoKgvMqNU?ref=Link
• [https://sway.cloud[.]microsoft/IUbqaHWqUH6C5eAW?ref=Link]sway.cloud[.]microsoft/IUbqaHWqUH6C5eAW?ref=Link
• [https://sway.cloud[.]microsoft/CxF8QqYpUv9r0Vx0?ref=Link&loc=play]sway.cloud[.]microsoft/…
• [https://sway.cloud[.]microsoft/AnGIKbMo1Bq8iTGH?ref=Link]sway.cloud[.]microsoft/AnGIKbMo1Bq8iTGH?ref=Link
• [https://sway.cloud[.]microsoft/aETxkd7BuvhId4sF?ref=Link&loc=play]sway.cloud[.]microsoft/…
• [https://sway.cloud[.]microsoft/RcSS1NyUsTAQ4GbQ?ref=Link&loc=play]sway.cloud[.]microsoft/…
• [https://sway.cloud[.]microsoft/PkAKyuZ7HsxLhVA5?ref=Link]sway.cloud[.]microsoft/PkAKyuZ7HsxLhVA5?ref=Link
• [https://sway.cloud[.]microsoft/VB7PWySCwoKy4Mvc]sway.cloud[.]microsoft/VB7PWySCwoKy4Mvc
• [https://sway.cloud[.]microsoft/vL0rhxc8x4I16Lwh?ref=Link]sway.cloud[.]microsoft/vL0rhxc8x4I16Lwh?ref=Link
• [https://sway.cloud[.]microsoft/lAsxBmdzUG5VXXav?ref=Link]sway.cloud[.]microsoft/lAsxBmdzUG5VXXav?ref=Link
• [https://sway.cloud[.]microsoft/DmxuQNgtqLKxUmHE?ref=Link]sway.cloud[.]microsoft/DmxuQNgtqLKxUmHE?ref=Link
• [https://sway.cloud[.]microsoft/IUbqaHWqUH6C5eAW?ref=Link]sway.cloud[.]microsoft/IUbqaHWqUH6C5eAW?ref=Link
• [https://sway.cloud[.]microsoft/CxF8QqYpUv9r0Vx0?ref=Link&loc=play]sway.cloud[.]microsoft/…
• [https://sway.cloud[.]microsoft/05LIlwBFn0qWED6i?ref=Link]sway.cloud[.]microsoft/05LIlwBFn0qWED6i?ref=Link
• [https://sway.cloud[.]microsoft/IzK05FqeCrAXEVo7?ref=Link]sway.cloud[.]microsoft/IzK05FqeCrAXEVo7?ref=Link
• login.msofficeopt[.]nl
• gdu.msofficeopt[.]nl
• ffnthost365[.]cfd
• nedttis365[.]xyz
• msntntion0[.]cfd