Published on April 30th, 2020 📆 | 6845 Views ⚑0
Microsoft Sway abused in PerSwaysion spear-phishing operation
Multiple threat actors running phishing attacks on corporate targets have been counting on Microsoft Sway service to trick victims into giving their Office 365 login credentials.
Named PerSwaysion by security researchers, the campaign relies on a phishing kit offers in a malware-as-a-service (MaaS) operation and is a well-planned endeavor.
Apart from access to corporate email accounts, scammers also get sensitive business data, which opens a wide range of money-making possibilities. They can run financial scams, sell information to other actors, or profit from secret trading strategies.
PerSwaysion has been running since at least August 2019 and emails of at least 27 adversaries have been found in several variants of the phishing kit.
To date, they tricked at least 156 high-ranking individuals at small and medium financial services companies, law firms, and real estate groups.
More than 20 of all harvested Office 365 accounts belong to executives, presidents, and managing directors at organizations in the U.S., Canada, Germany, the U.K., the Netherlands, Hong Kong, and Singapore.
Security researchers at Singapore-based cyber security company Group-IB discovered the campaign during an incident response in the first quarter of the year and named it PerSwaysion because of the “the extensive abuse of Sway service.” SharePoint and OneNote services are also used, but to a lower degree.
Microsoft Sway is a storytelling app that allows creating interactive communications (reports, presentations, stories, newsletters).
In the context of PerSwaysion, the service is used in a final stage of the attack, to provide victims with a realistic-looking document that redirects to the phishing page.
Benign attachment, sender not spoofed
Victims are picked after conducting reconnaissance on public pages. Group-IB found an email address belonging to a scammer that registered a LinkedIn account. They believe this was used to find potential targets on the network.
The attack starts with an email from an external business partner, whose account had been compromised. A benign PDF file is attached and nothing is spoofed, so automated detection systems remain silent.
However, Group-IB points out that some things should be regarded as suspicious:
- sender and recipient are the same person (true recipients are hidden in bcc list)
- email subject is only the business partner company full name
- the first sentence contains words separated by ‘+’ instead of space
Sway-ing the victim
The role of the PDF is to impersonate a notification from Office 365, something that the adversary managed to do quite well, adding the full name of the sender, their email address, and company.
Not everything is spot on, though. Some random strings are present in the document, although they have the same color as the background and are visible only when all content is selected (Ctrl+A).
When the target clicks the “Read Now” link, they are taken to a file hosted on Microsoft Sway that seems like a genuine Office 365 file-sharing page.
A closer look reveals that it is a presentation page that takes advantage of the borderless view in Sway.
Clicking the “Read Now” link on this page takes the target to the phishing site that is disguised as a Microsoft Single Sign-on page. Here, another mistake is noticeable.
What the phishing kit uses for frontend is an old login page for Microsoft Outlook, revision number 6.7.6640.0 used in 2017. The “Outlook” logo plastered at the top is the tell tale that something is not right.
Credentials harvested this way are delivered to a separate data server from an email address present in the code of the page, indicating that multiple groups are using the PerSwaysion phishing service.
“This extra email seems to be used as a real-time notification method to make sure scammers react on freshly harvested credentials,” Group-IB researchers say in a report published today.
Despite the mistakes that could be pinned to an amateur, evidence shows that individuals with experience into how to set up the infrastructure are involved.
Unlike run-of-the-mill phishing kits that focus on visual similarities, PerSwaysion actors pay attention to the credential harvesting and delivery.
They modularized the kit into a phishing user interface that serves the web application, a hosting backend server for credentials, and a real-time notification service.
Group-IB provides in their report details about the phishing kit code, noting that it aligns with modern web application user experience and that most computing tasks are client-side. This contributes to lower cloud computing rental fees.
After collecting account credentials, PerSwaysion actors carry out follow-up operations within a short period. They log into the account after six hours and dump email data an hour later.
Within 21 hours from the initial compromise, the scammers generate a new PDF with victim’s details and send it to people that had a recent communication with the victim.
Tracking the PerSwaysion actors
Being a MaaS, PerSwaysion is currently used by multiple groups. Using its resources, Group-IB was able to uncover that the “phishing kit development team has a strong link to Vietnamese speaking community.”
As for the customers of the kit, the researchers found email addresses controlled by 27 sub-groups across the world known to be involved in phishing campaigns.
“We assume that the developer group sells its product to various scammers for direct profit – a common practice in the underground community” – Group-IB
In the image below are the email addresses discovered and the name of the groups using the PerSwaysion phishing kit:
Starting from this information, the researchers were able to determine that most of the actors have been running phishing scams against high profile targets for years, or were involved in reconnaissance operations.
One of the older groups using the PerSwaysion kit was tracked to active scammers in Nigeria and South Africa led by an individual that goes by the name Sam.