Phishing campaigns targeting MS Office credentials have seen a significant surge in July 2024, leveraging Microsoft Sway to deliver malicious QR codes where attackers employ transparent phishing and Cloudflare Turnstile to evade detection and bypass security measures.
The QR codes redirect users to phishing pages, often using mobile devices due to their potential lack of robust security, which aims to compromise user credentials and gain unauthorized access to sensitive information.
Microsoft Sway, a free Microsoft 365 application, is being increasingly abused by attackers to distribute phishing content. By leveraging its legitimacy and ease of access, attackers are creating convincing phishing pages targeting Microsoft 365 accounts.
Researchers observed a significant surge in Sway-based phishing attacks in July 2024, highlighting the growing threat. Users should be cautious when accessing Sway pages, especially if prompted to log in, and verify the URL format to identify legitimate Sway links.
Quishing, or QR code phishing, is a malicious practice where attackers embed malicious URLs within QR codes to redirect unsuspecting victims to phishing websites, which exploits the widespread adoption of QR codes during the COVID-19 pandemic.
By bypassing traditional email scanners and leveraging the often-less-secure environments of mobile devices, attackers can successfully deceive users into visiting malicious websites.
The analyzed phishing campaigns employed tools like Google Chrome and QR Code Generator PRO to create these deceptive QR codes, posing a significant threat to online security.
Phishing attackers are exploiting Cloudflare Turnstile as a countermeasure against static website scanners. By integrating Turnstile into their phishing pages, attackers can effectively conceal the malicious payload, making it difficult for automated tools to detect and flag the domain as malicious.
This obfuscation technique helps to prevent the domain from acquiring a negative reputation and being blocked by web filtering services, thereby increasing the likelihood of successful phishing attacks.
According to Netskope, Attacker-in-the-Middle, phishing is a sophisticated technique that goes beyond traditional phishing by actively intervening in the victim’s login process.
While both methods aim to collect user credentials, attacker-in-the-middle phishing not only intercepts the submitted credentials but also attempts to log the victim into the legitimate service.
It allows the attacker to collect additional authentication factors, such as multi-factor codes, and obtain the victim’s session tokens or cookies, which can be used to maintain unauthorized access to the victim’s account, potentially leading to further data breaches or fraudulent activities.
Malicious actors are exploiting Microsoft Sway (sway.cloud.microsoft) to host phishing campaigns delivered via QR codes that bypass traditional defenses by leveraging Cloudflare Turnstile and transparent phishing techniques to steal Microsoft 365 credentials, potentially even bypassing MFA.
Organizations should update security controls to block sway.cloud.microsoft and implement URL filtering alongside threat protection that analyzes web content for unknown phishing attempts, while remote browser isolation can offer additional protection for accessing high-risk websites.