Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that uses Microsoft’s Sway infrastructure to host fake pages, once again highlighting the misuse of legitimate cloud offerings for malicious purposes.
“By using legitimate cloud applications, attackers build trust with victims, helping them trust the content they serve,” Netskope Threat Labs researcher Ian Michael Alcantara said.
“Also, the victim is using their Microsoft 365 account that they are already signed in to when they open the Sway page, which can also help convince them of its legitimacy. Sway can also be shared by link (URL link or visual link) or embedded on a website using an iframe.”
The attacks primarily targeted users in Asia and North America, with the technology, manufacturing and finance sectors being the most targeted.
Microsoft Sway is it cloud tool for creating newsletters, presentations and documentation. It has been part of the Microsoft 365 family of products since 2015.
The cybersecurity firm said that since July 2024, it has seen a 2,000-fold increase in traffic to unique Microsoft Sway phishing pages with the ultimate goal of stealing Microsoft 365 user credentials. This is achieved by serving fake QR codes placed on Sway that, when scanned, redirect users to phishing websites.
In a further attempt to evade static analysis attempts, it has been observed that some of these redemption campaigns are being used Cloudflare turnstile as a way to hide domains from static URL crawlers.
The activity is also notable for using the adversary-in-the-middle (AitM) phishing tactic, ie. transparent phishing – to obtain credentials and two-factor authentication (2FA) codes using similar login pages while attempting to log the victim into the service.
“Using QR codes to redirect victims to phishing websites presents some challenges for defenders,” said Michael Alcantara. “Because the URL is embedded in the image, email scanners that can only scan text content can be bypassed.”
“Additionally, when the user receives the QR code sent, they can use another device, such as a mobile phone, to scan the code. Because the security measures applied on mobile devices, particularly personal cell phones, are usually not as strict as on laptops. and desktop computers, victims often become more vulnerable to abuse.”
This isn’t the first time phishing attacks have abused Microsoft Sway. In April 2020, Group-IB detailed the company’s dubbing PerSwaysion which successfully hacked the corporate email accounts of at least 156 senior executives at various firms based in Germany, the UK, the Netherlands, Hong Kong and Singapore, using Sway as a springboard to redirect victims to credential harvesting sites.
The development comes as remediation campaigns become more sophisticated as security vendors develop countermeasures to detect and block such image-based threats.
“Attackers have now started creating QR codes using Unicode text characters instead of images,” said SlashNext CTO J. Stephen Kowsky. said. “This new technique, which we call ‘Unicode QR code phishing’, presents a significant challenge to conventional security measures.”
What makes the attack particularly dangerous is that it completely bypasses detections designed to look for suspicious images, given that they consist entirely of text characters. Also, Unicode QR codes can be displayed perfectly on screens without any problems and look noticeably different when viewed as plain text, making detection even more difficult.
