Cybercriminals Leverage Microsoft Sway in a Phishing Attack

• The phishing attack also affects those organizations that do not use the software.
• The attack is triggered by sending potential victims a malicious Sway phishing page through email with notification for voicemail or fax.

A new report has revealed that attackers are exploiting Microsoft Sway to send phishing emails to unsuspecting users. Microsoft Sway is an app that is available on the Web and Windows 10. The app lets the user create presentations, newsletters, and documents complete with photos, videos, and other media.

What is the matter?

According to Avanan, the phishing attack also affects those organizations that do not use the software.

By creating and posting a Sway page on sway[.]office[.]com, criminals can devise landing pages that look legitimate but actually carry malicious content. Since the pages are hosted are on Microsoft’s own Sway domain, it becomes quite easy for the phishing pages and their links to be automatically trusted by URL filters. In this way, the users are fooled into thinking that the phishing pages and URLs are valid.

How does the attack start?

• The attack is triggered by sending potential victims a malicious Sway phishing page through email with notification for voicemail or fax. This email includes words like ‘Urgent’ or ‘Important’ in order to create a sense of urgency among the recipients.
• Once the recipient logs into a Sway site with an Office account, the malicious page appears to be legitimate with Office 365 styling and menus.
• A malicious Sway page can include trusted brand names affiliated with Microsoft such as a SharePoint logo. Such a page typically displays a tempting URL that invites the victim to click on it. This would cause the download of malware or trigger a spoofed login page.

Bottom line

This is not the first time Sway has been identified as a tool for conducting phishing attacks. In 2018, Forcepoint Security Labs had reported a similar phishing attack leveraging Microsoft Sway. The attackers were using the novel method for distributing malicious links hosted through the legitimate ‘sway.office.com’.