Microsoft QR Code Phishing Targets User Credentials: Experts

By: Fatima P.Last updated:October 04, 2024

Cybersecurity experts have discovered a new QR code phishing campaign, also known as "quishing," that exploits Microsoft Sway to host fake landing pages and steal credentials, multi-factor authentication (MFA) codes, and cookies.

Sway is a free cloud-based digital storytelling app launched in 2015 as part of the Microsoft 365 family of products. It allows users to create and share interactive designs for reports, personal stories, presentations, documents, and more.

Netskope Threat Labs, a cybersecurity firm, first recorded the quishing scam in July 2024. The company detected a 2,000-fold increase in cyberattack campaigns on Sway, using an array of tactics to bypass Microsoft’s cybersecurity solutions.

These barrages of cyberattacks targeted mostly technology, manufacturing, and finance industries, particularly across Asia and North America.

Table of Contents

    1. Microsoft QR code phishing campaigns originated from emails, Neskope confirms
    2. QR code phishing campaigns took advantage of Cloudflare Turnstile to avoid detection
    3. ‘This is not the first time’: Microsoft Sway has a record of phishing attacks
    4. QR codes’ image-based nature is exploited to launch phishing campaigns
    5. Companies need to revisit their security policies and intensify cybersecurity

Microsoft QR code phishing campaigns originated from emails, Neskope confirms

Microsoft QR code phishing

Researchers found out that emails sent to Sway users redirected to phishing landing pages hosted on the sway.cloud.microsoft domain. These phishing pages showed a QR code scam, which users were encouraged to scan to lead them to other malicious web pages.

"Since the URL is embedded inside an image, email scanners that can only scan text-based content can get bypassed. Additionally, when a user gets sent a QR code, they may use another device, such as their mobile phone, to scan the code," Netskope researchers observed.

Prompting users to use their mobile phones to scan these QR codes is a common scamming strategy, as most phones come with weaker security measures. 

Malicious actors are likely to bypass security controls against phishing on smartphones, as they often don’t come equipped with antivirus software or Endpoint Detection and Response solutions, which are usually present only on PCs.

"Since the security measures implemented on mobile devices, particularly personal cell phones, are typically not as stringent as laptops and desktops, victims are then often more vulnerable to abuse," researchers added.

QR code phishing campaigns took advantage of Cloudflare Turnstile to avoid detection

QR code quishing

What makes these quishing campaigns a lot more effective is the use of trusted web software to appear more credible and evade detection of their scamming tactics.

Researchers confirmed these scammers used Cloudflare Turnstile to hide their landing pages from static URL scanners and web filtering services. It helped scammers maintain a good reputation, making them undetectable even to tools intended to protect websites from bots.

Cyberattackers also leveraged transparent phishing, which employs adversary-in-the-middle attacks. This scamming tactic stole multi-factor authentication codes through a similar-looking page while simultaneously logging in to the victim’s legitimate Microsoft account.

Using the tactic of logged-in Microsoft accounts made users think they were accessing a legitimate website, gaining their confidence and lowering their guard in the process.

"By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves." 

"Additionally, a victim uses their Microsoft 365 account that they’re already logged-into when they open a Sway page, that can help persuade them about its legitimacy as well," Netskope researchers noted.

‘This is not the first time’: Microsoft Sway has a record of phishing attacks

In April 2020, malicious actors carried out a similar phishing campaign called PerSwaysion, targeting Office 365 login credentials using a phishing kit included in a malware-as-a-service (MaaS) operation.

Group-IB security researchers discovered that the campaign leveraged Microsoft Sway to target high-ranking officers and directors of small to medium-sized financial services companies, law firms, and real estate groups.

Over 156 credentials were harvested by compromising their corporate emails. At least 20 of these phished accounts belong to executives at various firms in the US, Canada, Germany, Hong Kong, Singapore, the Netherlands, and the UK.

"Evidence indicates that scammers are likely to use LinkedIn profiles to assess potential victim positions." 

"Such a tactic reduces the possibility of early warning from the current victim's co-workers and increases the success rate of new phishing cycle," Group-IB researchers said.

QR codes’ image-based nature is exploited to launch phishing campaigns

Fake QR code campaigns

Improving cybersecurity measures and countermeasures remains one of the primary missions of technology companies like Microsoft and software-as-a-service organizations that offer a free QR code generator online.

Amid developing more stringent cybersecurity measures, however, malicious actors are also strengthening their quishing campaigns and countermeasures. They are getting smarter by using the gaps in legitimate cybersecurity apps against themselves.

As demonstrated by these phishing attacks on Sway, the vulnerability lies in image-based threats, such as QR codes. Most email scanners were only calibrated to scan text-based content, not URLs within images.

"Using QR codes to redirect victims to phishing websites poses some challenges to defenders."

"Since the URL is embedded inside an image, email scanners that can only scan text-based content can get bypassed," Netskope retorted. 

Companies need to revisit their security policies and intensify cybersecurity

Advancing phishing campaigns signals organizations to review their cybersecurity policies on web and cloud traffic scanning and filtering. Better policies mean fewer chances of employees accessing malicious websites.

At the same time, individual users are advised to check URLs before clicking. Better yet, type the website directly into the browser’s address bar to avoid falling for QR code phishing scams.

"QR code-based phishing has recently become a major problem and seems unlikely to decline. Recently, Cofense's research found a 331% increase in QR code active threat reports," Max Gannon from Cofense said.

"The abuse of Microsoft Sway in this campaign further emphasizes that threat actors have a ready-made, easy way to bypass many automated security controls – simply abuse a trusted sharing service," Gannon added.