Hackers can use Microsoft Sway to carry out phishing attacks 'without fear of detection'

News by Jay Jay

Forcepoint Security Labs has found that Microsoft Sway, a member of the Office 365 group of apps, has been used by malicious actors to send phishing links to targeted users.

Researchers at Forcepoint Security Labs recently observed how hackers can easily send malicious web links to employees at targeted organisations and avoid a majority of common malicious web link scanners and filters at the same time.

Considering that phishing attacks have been acknowledged as among the most serious cyber threats faced by organisations globally, a large number of organisations have employed automated detection tools that can detect and quarantine phishing emails, typosquatted domains and malicious links from reaching employees' workstations.

Such being the case, hackers are now coming up with new techniques and are exploiting often-overlooked loopholes in legitimate software to make employees click on malicious links and install spyware or ransomware tools into targeted systems.

Recently, Forcepoint Security Labs observed that Microsoft Sway, a member of the Office 365 group of apps and similar to PowerPoint, was being used by malicious actors to send phishing links to targeted users.

An important feature of Microsoft Sway is that it allows users to exchange multimedia newsletters as web links. Such links are treated as images by browsers and are not part of a page's source code. Because of this, many scanners and domain reputation classifiers are not able to identify them or extract them for analysis, thereby rendering users vulnerable to phishing attacks.

Even though Forcepoint observed hundreds of phishing attacks that exploited Microsoft Sway, such attempts were not representative of a large campaign and were simply "spray-and-pray" attempts. Even so, the firm noted that the platform could be used in future as part of a large phishing campaign and therefore, the novel approach of using Sway merits some discussion.

"Consider a more advanced approach: Sway is used to carefully craft a target specific newsletter with embedded links to a newly created typosquatted domain containing the landing page for an exploit kit. This would be a particularly effective vector for a targeted compromise somewhat akin to a strategic web compromise and, as mentioned previously, has a high probability of circumventing many security controls," the firm warned.

"The use of an office domain to allow malicious links to be spread is a challenge to defenders due to the trust relationship many companies have with O365. Organisations need to focus not only on static monitoring of activity, but on risk-adaptive technologies which can detect, disrupt and deny this type of behaviour on trusted platforms as early as possible," it added.

Commenting on the discovery of a feature in Microsoft Sway that could be used by hackers to carry out phishing attacks, Naaman Hart, managed services security engineer at Digital Guardian, told SC Magazine UK that Steganography – the process of embedding malicious messages inside other seemingly innocuous messages – is very hard to detect and requires advanced image analytics and processing capabilities.

"With security budgets stretched thin and a perception that steganography is used only rarely, very few organisations have invested in these detection tools.

"Therefore, organisations need to implement detection and response measures to counter the use of the tools associated with steganography. For example, steganography used by external malicious parties will usually be attached to some other attack tool or integrated into an exploit and exfiltration workflow. Common delivery methods such as email with any clickable item must be treated with the same suspicion as traditional clickable links.

"These techniques are growing in popularity and being applied to other methodologies. Steganographic techniques can be used to hide data as low as into the network packet header, making it more and more difficult for organisations to detect. Malicious parties are drawn to these methods as it provides a means to conveniently deliver attack code for ongoing data breaches," he added.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews