January 14, 2020 By Shane Schick 2 min read

A phishing technique that makes use of Microsoft Sway could attack organizations even if they don’t use the tool, security researchers warn.

Cybercriminals are able to create landing pages that look like legitimate online content and dupe victims into clicking on a malicious URL by hosting them on sway.office.com, according to a post from Avanan.

Given that URL filters tend to trust this domain, the bogus landing pages may go undetected, and they can use Office 365 styling and menus to appear more genuine. Best known as a tool for creating a variety of digital content with a shareable link, Microsoft Sway is available on the Windows 10 app as well as online.

Beware of Urgent Fax and Voicemail Notifications

Researchers said some of the phishing pages include well-known Microsoft product logos, including SharePoint, as well as those from real fax service providers. The latter is important because some of the common tactics to create a sense of urgency around clicking the link for these phishing campaigns include sending messages that a fax or voicemail has been received.

The report showed one instance, for example, where attackers added a timestamp next to a “Fax Received” email message that came from an email address that ended with onmicrosoft.com. The bogus fax, meanwhile, was offered via a link using the sway.office.com domain.

While best practices to combat phishing attacks often include blacklisting worrisome domains, researchers said this probably wouldn’t work in this case since attackers may use several different domains and senders. It may also be unfeasible for those organizations that regularly use Microsoft Sway to block content that use its domain.

This isn’t the first time Sway has been identified as a tool for conducting phishing attacks; Forcepoint researchers published similar findings as far back as October 2018.

Reduce the Risks of Microsoft Sway Phishing Attacks

Microsoft provides an online form where those who come across phishing schemes can send samples for deeper analysis. Beyond that, test phishing engagements will ensure employees are properly trained and acting appropriately to prevent clicking on malicious links by accident or mistake.

Given the risk, however, implementing a model of least privilege will ensure that if someone does manage to use Microsoft Sway to dupe someone, the attackers won’t be able to access an organization’s most critical resources or data.

More from

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

How red teaming helps safeguard the infrastructure behind AI models

4 min read - Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from the ad-hoc nature of many implementations, where organizations lack a clear strategy for responsible AI use.Attack surfaces aren’t just expanding due to risks and vulnerabilities in AI models themselves but also in the underlying infrastructure that supports them. Many foundation…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today