Recent reports indicate that multiple attack groups have successfully breached corporate email accounts belonging to at least 156 high-ranking executives across various firms located in Germany, the UK, Netherlands, Hong Kong, and Singapore. This campaign has been identified as **PerSwaysion**, which has utilized Microsoft’s file-sharing services—specifically Sway, SharePoint, and OneNote—to carry out targeted phishing attacks.
According to a report published by the Group-IB Threat Intelligence team, the PerSwaysion operation has predominantly focused on executives in finance, law, and real estate sectors, impacting over 150 companies globally. Among the compromised accounts are more than 20 Office365 profiles associated with high-ranking officials including presidents and managing directors.
The attack appears to be ongoing, predominantly orchestrated by scammers based in Nigeria and South Africa. They employed a phishing kit based on the Vue.js JavaScript framework, reportedly developed and rented from Vietnamese-speaking hackers. By late September 2019, the PerSwaysion campaign had adopted more sophisticated technological stacks, leveraging platforms such as Google App Engine for phishing web application servers, and Cloudflare for data backend services.
Mimicking typical phishing strategies aimed at stealing Office 365 credentials, the campaign employed seemingly benign PDF attachments that contained deceptive “read now” links directing victims to files hosted on Microsoft Sway. Researchers noted that by utilizing legitimate cloud-based content sharing services, the attackers aimed to evade detection.
Once a victim clicked on the manipulated link, they would encounter a specially crafted presentation page on Microsoft Sway featuring another deceptive link that led to the actual phishing site. This site is set up to capture sensitive email account credentials and other confidential information. Attackers promptly exploited the stolen credentials to download the victim’s email data via IMAP APIs. Subsequent actions included impersonating the victim to target recent contacts who held crucial positions within the same or connected organizations.
This criminal methodology indicates a clear use of tactics outlined in the MITRE ATT&CK framework. Relevant adversary tactics likely employed include Initial Access, where phishing plays a central role, as well as Credential Access to extract sensitive information. Additionally, Improvized Persistence, exemplified through the attackers’ continued engagement with compromised accounts, allows them to monitor and target additional victims.
The attackers further enhanced their operations by crafting new phishing PDF documents integrated with the current victim’s full name, email, and company information. These documents were disseminated to selected individuals outside the victim’s organization but within significant roles, thereby increasing the potential impact and success rate of subsequent phishing attempts. Evidence suggests that these attackers may have relied heavily on publicly available LinkedIn profiles to assess the positions of potential targets, thus reducing the likelihood of detection by individuals within the compromised organization.
While there remains no concrete evidence outlining the exact use of the stolen corporate data, researchers speculate that it may be sold in bulk to other financial fraudsters engaged in traditional monetary scams. Group-IB has established an online resource that enables individuals to check if their email address has been compromised in the PerSwaysion attacks. However, users are advised to proceed with caution and only enter their email if they anticipate a potential breach.
As the landscape of cyber threats continues to evolve, the incidents related to the PerSwaysion campaign highlight the critical importance of vigilance and robust defenses against sophisticated phishing strategies. Business owners are encouraged to remain informed and proactive in securing their digital assets against such threats.
