Cybersecurity experts have raised alarms over a recent uptick in QR code phishing attacks, often termed “quishing.” These attacks cleverly exploit Microsoft Sway, a legitimate cloud-based service, to host malicious pages. The misuse of Sway for phishing underscores a growing trend in which attackers leverage trusted and widely used platforms to carry out their malicious activities. By doing so, they can bypass traditional security measures that rely on blacklisting known malicious sites. The attackers generate QR codes that, when scanned by unsuspecting users, lead to fraudulent Sway pages designed to steal sensitive information, such as login credentials or financial details. This strategy takes advantage of the inherent trust users place in well-known cloud services, as well as the rising popularity of QR codes in daily life—from restaurant menus to contactless payments. The surge in quishing attacks exploiting Microsoft Sway is a stark reminder of the ever-evolving tactics employed by cybercriminals and the importance of continuous vigilance and education for users. These malicious campaigns highlight a significant security challenge: the ability of attackers to quickly adapt and utilize legitimate platforms to obscure their activities and deceive even the most cautious of users. As more businesses and individuals rely on cloud-based solutions for convenience and collaboration, the risk of such exploitation increases, necessitating advanced security measures and a heightened awareness of emerging threats. This development also points to the need for cloud service providers like Microsoft to enhance their security protocols and monitoring systems to detect and prevent the misuse of their platforms for fraudulent purposes. In response, cybersecurity professionals are urging organizations and users alike to adopt stronger authentication measures, educate themselves on the latest phishing tactics, and remain cautious when interacting with any QR code, regardless of its perceived legitimacy. The growing sophistication of these phishing attacks serves as a potent reminder of the ongoing battle between cybercriminals and the defenders of digital security.

The Strategy Behind Using Legitimate Cloud Applications

According to a security researcher from Netskope Threat Labs, attackers are utilizing trusted cloud applications to lend credibility to their malicious activities. “By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves,” the researcher noted.

Because victims often use their Microsoft 365 accounts to access these services, it adds an extra layer of perceived legitimacy. Sway content can be distributed through direct URL links, visual links, or embedded in websites via iframes, making the attack methods highly adaptable.

Targeted Sectors and Regions

The ongoing campaign predominantly targets users in Asia and North America, with a focus on the technology, manufacturing, and finance sectors. These industries are particularly vulnerable due to their heavy reliance on Microsoft 365 and cloud-based collaboration tools, making them prime targets for phishing attacks.

Microsoft Sway: A Convenient Platform for Phishing

Microsoft Sway, a component of the Microsoft 365 suite since 2015, is a cloud-based tool designed for creating newsletters, presentations, and documents. Its legitimate use within organizations makes it an appealing platform for attackers to host phishing content without drawing immediate suspicion.

Starting in July 2024, there was a significant 2,000-fold increase in traffic to unique Microsoft Sway phishing pages. The main goal of these phishing campaigns is to steal Microsoft 365 credentials by presenting fake QR codes. When scanned, these QR codes redirect users to phishing websites designed to capture their login credentials.

Techniques to Evade Detection

To circumvent static analysis and detection tools, attackers are employing several advanced tactics:

• Cloudflare Turnstile: Certain campaigns utilize Cloudflare Turnstile to conceal their true domains from static URL scanners, complicating detection efforts by automated tools.
• Adversary-in-the-Middle (AitM) Phishing: These attacks use AitM techniques, also known as transparent phishing, which involve lookalike login pages to capture both user credentials and two-factor authentication (2FA) codes in real time, while simultaneously attempting to log the victim into the legitimate service.

A security researcher further elaborates on the challenges defenders face with QR code phishing: “Since the URL is embedded inside an image, email scanners that only scan text-based content can be bypassed. Additionally, when a user receives a QR code, they may use another device, such as a mobile phone, to scan it. The security measures on mobile devices, particularly personal phones, are generally less stringent than those on laptops and desktops, making users more susceptible to exploitation.”

Historical Abuse of Microsoft Sway

The misuse of Microsoft Sway for phishing attacks is not a new phenomenon. A notable example occurred in April 2020 with a campaign dubbed “PerSwaysion,” as documented by cybersecurity firm Group-IB. This campaign specifically targeted high-ranking executives, successfully compromising the corporate email accounts of at least 156 senior officials across several countries, including Germany, the United Kingdom, the Netherlands, Hong Kong, and Singapore. The attackers cleverly utilized Microsoft Sway, a legitimate cloud-based service, as a platform to initiate their attacks. By creating seemingly authentic pages on Sway, the attackers were able to lure victims into clicking on links that redirected them to credential-harvesting sites designed to steal their sensitive information, such as usernames and passwords. This tactic highlights the dangers of trusted platforms being exploited for malicious purposes, as attackers continue to find ways to manipulate legitimate services to bypass security measures and deceive unsuspecting victims. The success of the “PerSwaysion” campaign underscores the need for organizations to remain vigilant and to implement robust security practices to protect against such sophisticated phishing attacks.

The Evolving Nature of Quishing Campaigns

As security vendors continuously innovate to detect and block image-based threats, phishing campaigns are becoming increasingly sophisticated. A striking development in this ongoing battle is the emergence of “Unicode QR Code Phishing,” a novel technique highlighted by a SlashNext security researcher. According to the researcher, attackers are now employing a clever tactic: instead of generating QR codes as traditional images, they are crafting these codes using Unicode text characters. This approach represents a significant advancement in phishing tactics, presenting a formidable challenge to conventional security measures. Unlike image-based QR codes, which can be analyzed and flagged by security systems scanning for suspicious visual patterns, these Unicode-based codes evade detection. They are composed entirely of text characters, which can be manipulated to look like QR codes on the screen. When rendered in digital format, these text-based codes appear identical to standard QR codes, but their plain-text representation is starkly different, making it incredibly difficult for standard security protocols to identify them as malicious. This technique not only bypasses image recognition technologies but also exploits the limitations of current detection methods that focus primarily on image analysis. As a result, these Unicode QR codes can seamlessly slip through the cracks of most security frameworks, enabling attackers to launch successful phishing campaigns without raising immediate suspicion. This evolution in phishing tactics illustrates the ongoing arms race between cybercriminals and security professionals, where each new defense is met with a corresponding offensive innovation. It underscores the need for a more comprehensive approach to cybersecurity—one that considers the multifaceted ways in which malicious actors can exploit seemingly benign technologies for harmful purposes. As this Unicode QR code phishing technique gains traction, security experts are calling for enhanced detection capabilities that can analyze not just images, but also text-based codes and other unconventional formats used to deceive users and infiltrate systems. The sophistication of this new phishing method is a stark reminder of the constant vigilance required to protect digital environments from increasingly cunning cyber threats.

Remediation Steps:

1. Educate Users on QR Code Phishing Risks: Conduct regular training sessions to make users aware of the dangers of scanning unsolicited QR codes, especially from unknown sources.
2. Implement Multi-Factor Authentication (MFA): Enforce MFA across all accounts to add an additional layer of security against credential theft.
3. Use Advanced Threat Protection Tools: Deploy email and web security solutions that can detect and block both image-based and text-based QR code phishing attempts.
4. Monitor Cloud Application Usage: Regularly review access logs and monitor the usage of cloud applications like Microsoft Sway for unusual activity.
5. Restrict Access to Cloud Services: Limit access to cloud services and ensure that only authorized users can create and share content.
6. Enhance Mobile Device Security: Implement mobile device management (MDM) solutions to enforce security policies on personal devices accessing corporate resources.
7. Stay Updated on Threat Intelligence: Keep informed about the latest phishing tactics and update security measures accordingly to respond to emerging threats.