Cybersecurity researchers are highlighting a new QR code phishing campaign (also called quishing) that uses the Microsoft Sway infrastructure to host fake pages, further highlighting the abuse of legitimate cloud offerings for malicious purposes.
“By using legitimate cloud applications, attackers lend credibility to their victims and help them trust the content provided,” said Jan Michael Alcantara, researcher at Netskope Threat Labs.
“In addition, a victim uses their Microsoft 365 account, which they are already logged into, when they open a Sway page. This can also convince them of the legitimacy of the page. Sway can also be shared via a link (URL link or visual link) or embedded into a website using an iframe.”
The attacks primarily targeted users in Asia and North America, with the technology, manufacturing and financial sectors particularly affected.
Microsoft Sway is a cloud-based tool for creating newsletters, presentations and documentation. It has been part of the Microsoft 365 product family since 2015.
The cybersecurity company said it observed a 2,000x increase in traffic to unique Microsoft Sway phishing pages starting in July 2024, with the ultimate goal of stealing users’ Microsoft 365 credentials. This is achieved by delivering fake QR codes hosted on Sway that redirect users to phishing websites when scanned.
In a further attempt to evade static analysis efforts, some of these quishing campaigns have been observed using Cloudflare Turnstile to hide the domains from static URL scanners.
Also notable in this activity is the use of Adversary-in-the-Middle (AitM) phishing tactics, or transparent phishing, to capture login credentials and two-factor authentication (2FA) codes using deceptively real-looking login pages while attempting to log the victim into the service.
“Using QR codes to redirect victims to phishing websites presents some challenges for defenders,” said Michael Alcantara. “Because the URL is embedded in an image, it can bypass email scanners that can only scan text-based content.”
“In addition, when a user receives a QR code, they can use another device, such as their mobile phone, to scan the code. Since security measures on mobile devices, especially personal mobile phones, are usually not as strict as on laptops and desktops, victims are often more vulnerable to abuse.”
This is not the first time phishing attacks have abused Microsoft Sway. In April 2020, Group-IB described a campaign called PerSwaysion that successfully compromised the corporate email accounts of at least 156 high-ranking executives from various companies based in Germany, the UK, the Netherlands, Hong Kong, and Singapore, using Sway as a springboard to redirect victims to credential-harvesting websites.
This development comes against a backdrop of increasingly sophisticated quishing campaigns as security vendors develop countermeasures to detect and block such image-based threats.
“In a clever twist, attackers have now started creating QR codes using Unicode text characters instead of images,” said J. Stephen Kowski, CTO of SlashNext. “This new technique, which we call ‘Unicode QR Code Phishing,’ poses a significant challenge to traditional security measures.”
What makes the attack particularly dangerous is the fact that it completely bypasses detection features targeting suspicious images, as they consist solely of text characters. In addition, Unicode QR codes can be easily displayed on screens and look significantly different in plain text, further complicating detection efforts.
