You may not be familiar with Microsoft Sway or at least have never used it. But cybercriminals have been exploiting this web app to send phishing emails to unsuspecting victims, according to a new report from Avanan.
Available on the Web and as a Windows 10 app, Microsoft Sway lets you create presentations, newsletters, and documentation complete with photos, videos, and other media. You can then post your presentation on the Web via a shareable link that anyone can click to view it.
However, even if your organization doesn’t use this software, you can still be vulnerable to phishing attacks that are hosted from Sway, according to Avanan. Here’s how.
By creating and posting a Sway page on sway.office.com, criminals can devise landing pages that look legitimate but actually carry malicious content. Since the pages are hosted on Microsoft’s own Sway domain, the pages and their links are automatically trusted by URL filters and can easily fool users into thinking they’re valid.
If you log into a Sway site with an Office account, these pages appear with Office 365 styling and menus to make them appear more convincing. A malicious Sway page can include trusted brand names affiliated with Microsoft, such as a SharePoint logo. Such a page typically displays a tempting URL that invites the user to click on it but then downloads malware or triggers a spoofed login page.
To convince potential victims to access a malicious Sway phishing page, cybercriminals will send emails with notifications for voicemails or faxes, hoping that unsuspecting users will click on the link or image.
TechRepublic reached out to Microsoft for comment. Last year, the company did roll out phishing detection to Microsoft Forms, an online product that lets people create surveys, quizzes, and polls.
In one example cited by Avanan, a phishing email was sent from an onmicrosoft.com email address. Because Microsoft trusts the domain, this email is able to bypass basic spoofing filters. The right type of branding and look for the email persuades users that it contains a legitimate fax.
A recent date next to the “Fax Received at” text suggests that this is a sophisticated attack since adding a timestamp makes the spoofed email seem urgent and important.
The preview image of the fax itself looks too important to ignore. Two links in the email to the alleged fax and fax service point to sway.office.com.
Even if the intended victim doesn’t use Sway, that person will likely trust any email from office.com. Microsoft itself trusts the Sway and Office domains, so this URL will sneak past Safe Link settings. Other links in the email pointed to LinkedIn, another trusted site.
This type of phishing attack can succeed because it sends users to a trusted page hosted by Microsoft rather than a compromised website that would likely be blocked by web browsers and blacklists.
How to protect yourself
Avanan customers who were targeted in this Sway phishing attack received the same message from different senders. Because the criminals use multiple senders and domains, blacklisting them won’t work.
Instead, many customers have simply blacklisted sway.office.com in their web filters. Unless your organization actively uses Sway, your best bet is to do the same and block any links from this domain.
On its end, Microsoft does offer ways that you can submit spam or phishing messages that passed through its spam filters.