One of phishers’ preferred methods for fooling both targets and email filters is to use legitimate services to host phishing pages. The latest example of this involves Office 365 users being directed to phishing and malicious pages hosted on Office Sway, a web application for content creation that’s part of Microsoft Office.
The email that tries to trick recipients into visiting the phishing page isn’t stopped by Microsoft’s filters, likely because:
- It was sent from an onmicrosoft.com email address
- Includes links in the email that point to sway.office.com and other trusted sites (e.g., LinkedIn).
It pretends to be a fax receipt notice, shows a small image of the supposedly received fax, and asks the user to open the attachment to view it.
The phishing Office Sway page
Those who fall for the scheme are directed to a landing page hosted on Sway, which instructs them to click on another link that will either download a malicious file or lead them to a spoofed Office 365 login page:
“The Sway page will include trusted brand names. Most commonly, the spoofed brands are Microsoft-affiliated, just like the SharePoint logo shown in the example above,” Avanan explained.
And if the recipient is logged into an Office account, Sway pages appear wrapped in Office 365 styling with accompanying menus, making the page even more convincing.
“Attackers can turn Microsoft Sway into most any site they like, causing both Outlook and even the most savvy recipients to trust sway.com links,” the company pointed out, and noted that because the attackers are using multiple senders and domains, blacklisting them won’t work.
“Instead, we’ve seen many clients blacklist sway.office.com in their web filters. Unless your organization actively uses Sway, you should consider blocking Sway links,” they advised.