Light Dark
January 14, 2020 By Shane Schick 2 min read

A phishing technique that makes use of Microsoft Sway could attack organizations even if they don’t use the tool, security researchers warn.

Cybercriminals are able to create landing pages that look like legitimate online content and dupe victims into clicking on a malicious URL by hosting them on sway.office.com, according to a post from Avanan.

Given that URL filters tend to trust this domain, the bogus landing pages may go undetected, and they can use Office 365 styling and menus to appear more genuine. Best known as a tool for creating a variety of digital content with a shareable link, Microsoft Sway is available on the Windows 10 app as well as online.

Beware of Urgent Fax and Voicemail Notifications

Researchers said some of the phishing pages include well-known Microsoft product logos, including SharePoint, as well as those from real fax service providers. The latter is important because some of the common tactics to create a sense of urgency around clicking the link for these phishing campaigns include sending messages that a fax or voicemail has been received.

The report showed one instance, for example, where attackers added a timestamp next to a “Fax Received” email message that came from an email address that ended with onmicrosoft.com. The bogus fax, meanwhile, was offered via a link using the sway.office.com domain.

While best practices to combat phishing attacks often include blacklisting worrisome domains, researchers said this probably wouldn’t work in this case since attackers may use several different domains and senders. It may also be unfeasible for those organizations that regularly use Microsoft Sway to block content that use its domain.

This isn’t the first time Sway has been identified as a tool for conducting phishing attacks; Forcepoint researchers published similar findings as far back as October 2018.

Reduce the Risks of Microsoft Sway Phishing Attacks

Microsoft provides an online form where those who come across phishing schemes can send samples for deeper analysis. Beyond that, test phishing engagements will ensure employees are properly trained and acting appropriately to prevent clicking on malicious links by accident or mistake.

Given the risk, however, implementing a model of least privilege will ensure that if someone does manage to use Microsoft Sway to dupe someone, the attackers won’t be able to access an organization’s most critical resources or data.

 |  |  |  |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

December 18, 2024

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

December 17, 2024

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

December 16, 2024

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature