Cybersecurity Analysis have raised concerns about a new phishing campaign, known as quishing, that exploits QR codes and uses Microsoft’s Sway infrastructure to host fraudulent pages. This highlights, once again, how legitimate cloud services are being abused for malicious activities.
Moreover, if a victim is already logged into their Microsoft 365 account when accessing a Sway page, it can further enhance the perception of legitimacy. Sway content can be shared via direct links, visual links, or embedded on websites through iframes.”
These attacks have mainly targeted users in Asia and North America, focusing on industries such as technology, manufacturing, and finance.
This activity is particularly Prominent for employing adversary-in-the-middle (AitM) phishing tactics, also known as transparent phishing, to steal credentials and two-factor authentication (2FA) codes through lookalike login pages, while also attempting to log the victim into the service simultaneously.
QR codes redirecting victims to phishing websites create challenges for defenders,” said Michael Alcantara. Since the URL is embedded within an image, email scanners that only analyze text-based content can be bypassed.”
“Furthermore, when users receive a QR code, they may scan it with another device, like a mobile phone. Mobile devices, especially personal phones, often have less stringent security measures compared to laptops and desktops, making victims more susceptible to exploitation.