We have shared about the QR Code phishing campaigns in the past. We even discussed the QR Phishing cybersecurity risk in our 2023 Annual Threat Intelligence Report (page 5).
The risk of QR codes remains significant, as demonstrated by the recent massive phishing campaign that exploited Microsoft Sway. Microsoft Sway is a cloud-based tool for creating newsletters, presentations, and documentation. It has been part of the Microsoft 365 family of products since 2015.
In July 2024, Netskope Threat Labs tracked a 2,000-fold increase in traffic to phishing pages delivered through Microsoft Sway. The majority of the credential grabbing pages investigated used “Quishing,” a form of phishing that uses a QR code to trick users into accessing a malicious website. The phishing campaigns targeted MS Office credentials, using documents to bait users into logging in. The campaigns have targeted victims mainly in Asia and North America across multiple segments led by Technology, Manufacturing, and Finance.
These fake hosted landing pages are once again highlighting the abuse of legitimate cloud offerings for malicious purposes. “By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves," Netskope Threat Labs researcher Jan Michael Alcantara said. "Additionally, a victim uses their Microsoft 365 account that they're already logged-into when they open a Sway page, that can help persuade them about its legitimacy as well. Sway can also be shared through either a link (URL link or visual link) or embedded on a website using an iframe."
The phishing campaigns analyzed appear to be using Google Chrome and QR Code Generator PRO to generate QR codes.
The activity is also notable for leveraging adversary-in-the-middle (AitM) phishing tactics – i.e., transparent phishing – to siphon credentials and two-factor authentication (2FA) codes using lookalike login pages, while simultaneously attempting to log the victim into the service.
The development comes as quishing campaigns are getting more sophisticated and as security vendors develop countermeasures to detect and block such image-based threats. "In a clever twist, attackers have now begun crafting QR codes using Unicode text characters instead of images," SlashNext CTO J. Stephen Kowski said. "This new technique, which we're calling 'Unicode QR Code Phishing,' presents a significant challenge to conventional security measures." What makes the attack particularly dangerous is the fact that it entirely bypasses detections designed to scan for suspicious images, given they are composed entirely of text characters. Furthermore, Unicode QR codes can be rendered perfectly on screens without any scanning issues, yet they appear markedly different when viewed as plain text, further complicating detection efforts.
Sway is a free Microsoft 365 application that anyone with a Microsoft account can access. Attackers, however, take advantage of this open access, using the credibility of these legitimate cloud applications to deceive users. Not just this, but Sway is accessed once a victim is already logged into their Microsoft 365 account, adding an additional layer of legitimacy to persuade these users into opening malicious pages.
Relevance:
QR Code Phishing
Recommendations:
The phishing pages described in the post are easily recognizable by the domain pattern sway.cloud.microsoft. Users can avoid becoming victims of the attacks described in this post by checking the URL. Users should always access important pages, such as their banking portal or webmail, by typing the URL directly into the web browser instead of using search engines or clicking any other links.
Within your Security Operations monitoring, Defender, has hunting queries you can ingest for authentication for internal or known IP alerts.
Elastic has a suite of detection rules you can ingest into your security monitoring to assist with defending against these phishing campaigns.
References:
Lakshmanan, R. (2024 Aug 28). New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials. HackerNews.com. https://thehackernews.com/2024/08/new-qr-code-phishing-campaign-exploits.html
How can CyberForce|Q services help you address this risk?
Our team can assist your organization in reviewing the devices on your system and determining the level of prioritization they need. We can conduct a penetration test for your organization to gain thorough understanding of the gaps within your environment. – reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.