Individuals in North America and Asia, especially those in the technology, manufacturing, and finance industries, were primarily subjected to a widespread QR code phishing campaign that sought to exfiltrate Microsoft 365 credentials through websites hosted by the cloud-based tool Microsoft Sway, according to BleepingComputer.
Attacks commenced with the delivery of emails redirecting to sway[.]cloud[.]microsoft domain-hosted phishing pages that lured targets into scanning QR codes with their less secure mobile devices, which would facilitate further malicious activity, an analysis from Netskope Threat Labs showed. Threat actors behind the campaign also leveraged transparent phishing to enable Microsoft credential and multi-factor authentication code compromise and account logins, as well as the Cloudflare Turnstile tool to evade detection by Google Safe Browsing and other web filtering services, reported Netskope researchers. Such intrusions, which were identified last month following a 2,000 times increase in Microsoft Sway-exploiting attacks, come after the cloud-based tool was reported by Group-IB researchers to have been leveraged as part of the Office 365 login-targeting PerSwaysion phishing operation five years ago.
