Have you heard of Microsoft Sway? If you haven’t, there’s a good chance your users don’t know about it either.
That’s why this content creation service is used in phishing attacks. Attackers can turn Microsoft Sway into most any site they like, causing both Outlook and even the most savvy recipients to trust sway.com links.
Why are hackers using Microsoft Sway?
Sway is a web app for creating PowerPoint-like presentations and newsletters. It also serves as an easy point-and-click way to create a landing page that might fool your users.
For these reasons, it has become a popular place for hackers to host phishing sites like the one below.
You’ll notice that:
- Sway pages are hosted on office.com. With that stamp of legitimacy, Sway pages bypass URL filters and any investigation that your users are capable of.
- If your users are logged into an Office account, Sway pages appear wrapped in Office 365 styling with accompanying menus to be even more convincing.
- The Sway page will include trusted brand names. (Most commonly, the spoofed brands are Microsoft-affiliated, just like the SharePoint logo shown in the example above.)
- Hackers intend for victims to click the hyperlinked URL “FAX MESSAGE” at the bottom. These links download a malicious file or lead to spoofed login page.
Why are Microsoft Sway attacks so effective?
To convince potential victims to land on the Sway phishing page, hackers send emails with notifications for voicemails or faxes.
In the email above, the same tricks that fool your users also fool Microsoft security:
- The email was sent from an onmicrosoft.com email address, so Microsoft trusts the domain, enabling it to pass most of the basic spoof filters.
- Consistent branding helps convince potential victims that the email contains a fax. (This is why image analysis is vital in phish detection.)
- The recent date next to “Fax Received at:” suggests this attack is more sophisticated, using dynamically generated text rather than cut-and-pasted text.
- The preview image of the fax looks too important to ignore.
- The two important links in the email to the fax and the faxing service both point to sway.office.com. Even if users are unfamiliar with Sway, they have been taught to trust office.com. Microsoft trusts Sway and its other productivity services implicitly, so this URL will bypass even the strictest SafeLinks settings.
- The other links in the email body point to another trusted site: LinkedIn. Similar attacks use real URLs from trusted sites that lead to the page they promise.
Indicators of Compromise
Avanan clients targeted in the Sway attack received the same message from multiple low-traffic, low-reputation senders. Because the hackers are using multiple senders and domains in this attack, blacklisting them won’t work.
Instead, we’ve seen many clients blacklist sway.office.com in their web filters. Unless your organization actively uses Sway, you should consider blocking Sway links.
Using Microsoft Services to Phish Microsoft
Instead of sending potential victims to a compromised website that might be blocked by browsers and blacklists, the URL in this attack goes to sway.office.com. Because the phishing page is hosted on Microsoft, it will always be considered 100% safe.
Microsoft, your users, your desktop antivirus, your browsers, and your DNS filters can’t stop this attack. Avanan identified the Sway attack using link analysis and sender reputation checks. Because Avanan deploys within Office 365, our algorithm catches attacks that Microsoft misses, like this one, before they hit the inbox.