PerSwaysion spear-phishing campaign tricks users to get 365 log-in credentials

News by Rene Millman

Microsoft Sway used to trick victims into giving up 365 log-in credentials in spear-phishing campaign.

Cyber-criminals have been observed using Microsoft Sway to dupe users into revealing Office 365 login credentials, according to security researchers.

In a blog post by Feixiang He, senior threat intelligence analyst at Group-IB, explains that the phishing attack, dubbed PerSwaysion, is a three-phase operation which takes a victim from a PDF attached email, through Microsoft file sharing services, then to the final phishing site.

He said that cyber-criminals have displayed an adequate level of phishing capabilities since August 2019, the earliest timeframe the campaign left traces on the internet. PerSwaysion entangles multiple layers of traffic whitewashing to avoid as much corporate network defence as possible. 

“In the current wave of attacks, scammers primarily abuse Microsoft Sway file sharing service as the jumping board to redirect victims to actual phishing sites,” he said.

Group-IB also saw other variants using Microsoft SharePoint and OneNote.

“The scammers pick legit file sharing services which have the ability of rendering seamless preview of uploaded files with phishing links. This key feature helps scammers construct web pages that strongly resemble authentic Microsoft experience,” said Feixiang.

In addition, criminals also separate phishing application and victim data harvesting backend servers, providing extra identity masquerades.

“Such application architecture also improves flexibility and operational continuity when phishing sites are taken down or blocked. Scammers simply deploy new instances under new domain names without disrupting overall data collection operations,” he said.

Feixiang said that the PerSwaysion campaign is yet another living example of highly specialised phishing threat actors working together to conduct effective attacks on a large-scale.

At present around 156 high ranking officers of given organisations are compromised. The researchers said that high-profile victims tend to be located in the US and Canada, while the rest are in global and regional financial hubs such as Germany, the UK, Netherlands, Hong Kong and Singapore and other countries.

Group-IB has set up a website where anyone can check if their email address was compromised by PerSwaysion. The firm said it would work with the relevant parties in local countries to inform the affected companies of the breach.

“The campaign phishing kit is primarily developed by a group of Vietnamese speaking malware developers while campaign proliferation and hacking activities are operated by other independent groups of scammers,” he said.

Adam Palmer, chief cyber-security strategist at Tenable, told SC Media UK that the best way for an organisation to defend against this type of attack, in addition to user awareness, is to practice good cyber-hygiene — such as by identifying critical risks and patching systems with common vulnerabilities favoured by criminals, blocking malicious sites and IP addresses, enforcing multi-factor authentication, and using encryption for sensitive data.

“These recommendations make it far harder for criminals to be successful,” he said.

Ciaran Byrne, head of platform operations at edgescan, told SC Media UK that the PerSwaysion attack, as it's been dubbed, appears to just utilise reputable applications to initiate their phishing platform.

“There are countless avenues a nefarious actor can take to trick a user into carrying out actions they have no intention of doing, and this seems no different. Vigilance is important, and people should always be wary when submitting any details or clicking on links in any domain. Double check the URL before entering sensitive information and hover over a link to view what the link actually is (not just what the text says),” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews