Attackers are creating phishing sites from Sway, an effective approach as links for the domain are typically trusted.

You may not be familiar with Microsoft Sway or at least have never used it. But cybercriminals have been exploiting this web app to send phishing emails to unsuspecting victims.

Available on the Web and as a Windows 10 app, Microsoft Sway lets you create presentations, newsletters, and documentation complete with photos, videos, and other media. You can then post your presentation on the Web via a shareable link that anyone can click to view it.

However, even if your organization doesn’t use this software, you can still be vulnerable to phishing attacks that are hosted from Sway, according to Avanan. Here’s how.

By creating and posting a Sway page on sway.office.com, criminals can devise landing pages that look legitimate but actually carry malicious content. Since the pages are hosted on Microsoft’s own Sway domain, the pages and their links are automatically trusted by URL filters and can easily fool users into thinking they’re valid.

If you log into a Sway site with an Office account, these pages appear with Office 365 styling and menus to make them appear more convincing. A malicious Sway page can include trusted brand names affiliated with Microsoft, such as a SharePoint logo. Such a page typically displays a tempting URL that invites the user to click on it but then downloads malware or triggers a spoofed login page.

To convince potential victims to access a malicious Sway phishing page, cybercriminals will send emails with notifications for voicemails or faxes, hoping that unsuspecting users will click on the link or image.

In one example a phishing email was sent from an onmicrosoft.com email address. Because Microsoft trusts the domain, this email is able to bypass basic spoofing filters. The right type of branding and look for the email persuades users that it contains a legitimate fax.

A recent date next to the “Fax Received at” text suggests that this is a sophisticated attack since adding a timestamp makes the spoofed email seem urgent and important.

The preview image of the fax itself looks too important to ignore. Two links in the email to the alleged fax and fax service point to sway.office.com.

Even if the intended victim doesn’t use Sway, that person will likely trust any email from office.com. Microsoft itself trusts the Sway and Office domains, so this URL will sneak past Safe Link settings. Other links in the email pointed to LinkedIn, another trusted site.

This type of phishing attack can succeed because it sends users to a trusted page hosted by Microsoft rather than a compromised website that would likely be blocked by web browsers and blacklists.

In response to a request for comment, a spokesperson for Microsoft sent TechRepublic the following statement:

“Contrary to marketing claims, Microsoft does not automatically trust any domain, including the Office and Sway domains. All links are analyzed, assessed and compared to known attack vectors, including local domains. Additionally, Microsoft performs a complete assessment of Sway content, including the scanning of links on the pages.”  However many have found that this is simply not enough.  Click here to learn about Microsoft gaps.

How to protect yourself

Customers who were targeted in this Sway phishing attack received the same message from different senders. Because the criminals use multiple senders and domains, blacklisting them won’t work.

Instead, many customers have simply blacklisted sway.office.com in their web filters. Unless your organization actively uses Sway, your best bet is to do the same and block any links from this domain, suggests Anavan.

On its end, Microsoft does suggest other ways that you can submit spam or phishing messages that passed through its spam filters.

For further information contact us at: info@CherubAS.com or call (407) 416-7955