Microsoft Sway Pages Weaponized to Perform Phishing and Malware Delivery

Danger actors have lately done phishing strategies applying Microsoft Sway and applied the system to distribute malware in companies. 

The findings come from cybersecurity experts at Proofpoint, who launched an advisory about the new menace on Monday.

“An attacker can weaponize a Sway page by either compromising a Microsoft 365 account inside the goal firm (to phish extra users) or making a Sway website page within their individual Microsoft 365 account outdoors the target firm,” reads the technical write–up.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

According to the advisory, most phishing attack vectors noticed by Proofpoint involved clicking a direct hyperlink to a phishing web page. The firm also highlighted that Microsoft typically takes advantage of a warning pop–up to attempt to discourage users from falling prey to these phishing makes an attempt.

“However, Proofpoint cloud security analysis indicates that attackers can phish consumers utilizing an embed approach inside of Microsoft Sway with no a warning pop–up,” the corporation wrote. “This consists of a person clicking on a website link in an embedded malicious doc inside of a Sway webpage.”

More, although Microsoft only allows uploads of media information in Sway pages (and actively blocks uploads of executable data files), there are techniques to use Sway to distribute destructive executables by embedding the hosted malware inside the platform.

This can be finished, as outlined above, by hosting a malicious file on Microsoft OneDrive or SharePoint and embedding it in the new Sway website page. Destructive documents can also be despatched to people within the group, who may possibly open them even although they have malware.

“Threat actors constantly look for new approaches to steal users’ qualifications and acquire accessibility to users’ accounts,” Proofpoint wrote. “As this website illustrates, Microsoft Sway serves as a appropriate system for various types of cloud attacks given that it is a authentic application hosted on a seemingly benign area.”

To mitigate the effect of these threats, Proofpoint recommended organizations educate customers to be mindful of Microsoft Sway–based embedded phishing and malware challenges and, if essential, restrict the usage of Microsoft Sway in cloud environments. 

Companies really should also set up comprehensive account compromise detection using a cloud accessibility security broker (CASB) option and isolate end–user targeted traffic when users click on on links within Microsoft Sway pages.