A massive QR code phishing campaign abused Microsoft Sway, a cloud-based tool for creating online presentations, to host landing pages to trick Microsoft 365 users into handing over their credentials. 

The attacks were spotted by Netskope Threat Labs in July 2024 after detecting a dramatic 2,000-fold increase in attacks exploiting Microsoft Sway to host phishing pages that steal Microsoft 365 credentials. This surge sharply contrasts the minimal activity reported during the year's first half, showing the large scale of this campaign.

They primarily targeted users in Asia and North America, with the technology, manufacturing, and finance sectors being the most sought-after targets. 

The emails redirected potential victims to phishing landing pages hosted on the sway.cloud.microsoft domain, pages that encouraged the targets to scan QR codes that would send them to other malicious websites.

Attackers often encourage victims to scan QR codes using their mobile devices, which typically come with weaker security measures, thus increasing the chances of bypassing security controls and allowing them to access phishing sites without restrictions.

"Since the URL is embedded inside an image, email scanners that can only scan text-based content can get bypassed. Additionally, when a user gets sent a QR code, they may use another device, such as their mobile phone, to scan the code," the security researchers explained.

"Since the security measures implemented on mobile devices, particularly personal cell phones, are typically not as stringent as laptops and desktops, victims are then often more vulnerable to abuse."

The attackers employed several tactics to further boost their campaign's effectiveness, like transparent phishing, where they stole the credentials and multi-factor authentication codes and used them to sign the victims into their Microsoft accounts while showing them the legitimate login page.

They also used Cloudflare Turnstile, a tool intended to protect websites from bots, to hide their landing pages' phishing content from static scanners, helping to maintain the phishing domain's good reputation and avoid getting blocked by web filtering services like Google Safe Browsing.

Microsoft Sway was also abused in the PerSwaysion phishing campaign, which targeted Office 365 login credentials five years ago using a phishing kit offered in a malware-as-a-service (MaaS) operation.

As Group-IB security researchers revealed at the time, those attacks tricked at least 156 high-ranking individuals at small and medium financial services companies, law firms, and real estate groups.

Group-IB said that over 20 of all harvested Office 365 accounts belong to executives, presidents, and managing directors at organizations in the U.S., Canada, Germany, the U.K., the Netherlands, Hong Kong, and Singapore.