In a concerning development in cybersecurity, researchers have reported an uptick in QR code phishing campaigns, also known as “quishing.” These attacks utilize Microsoft Sway, a legitimate cloud-based platform, to host counterfeit web pages, underscoring how reputable services can be exploited for malicious activities.
Jan Michael Alcantara from Netskope Threat Labs explained that the misuse of trusted cloud applications lends an air of authenticity to these schemes, making it easier for attackers to deceive their victims. He noted that as users often access Microsoft Sway with their already authenticated Microsoft 365 accounts, it further enhances the perceived legitimacy of the fraudulent content. With options to share Sway pages via links or embed them into other sites, attackers can proliferate their phishing attempts rapidly.
The primary targets of these attacks have been users in Asia and North America, particularly within technologically intensive sectors such as finance, manufacturing, and technology. This alarming trend indicates a strategic focus on industries where data security is paramount, and where credentials can yield significant access to sensitive information.
According to the cybersecurity firm, traffic to unique Microsoft Sway phishing pages exploded by 2,000% starting in July 2024, aimed specifically at harvesting Microsoft 365 credentials. The attacks involve phishing QR codes that, when scanned, direct users to fraudulent sites designed to steal their information.
Further complicating detection efforts, some of the quishing attempts have incorporated Cloudflare Turnstile technology, an anti-bot framework that obscures the domains from standard URL analysis tools. This technique demonstrates adherence to advanced evasion tactics, leveraging adversary-in-the-middle (AiTM) phishing methods to extract user credentials and two-factor authentication (2FA) codes while simultaneously attempting to log victims into fraudulent sites.
The challenge posed by QR code phishing is particularly pronounced since the malicious URLs are encapsulated within images. Traditional email scanners, which primarily scrutinize text-based content, struggle to identify threats posed by these embedded links. Additionally, users may scan QR codes using their mobile devices, which typically have less stringent security measures than desktop systems, increasing their susceptibility to cyber attacks.
This is not the first instance of phishing campaigns exploiting Microsoft Sway’s infrastructure. A previous campaign known as “PerSwaysion” successfully targeted and compromised numerous corporate email accounts across various countries by redirecting victims to sites designed for credential harvesting. As attackers continuously adapt to security measures developed in response to their tactics, the sophistication and ingenuity of these phishing campaigns escalating.
As attackers become increasingly skilled at creating sophisticated QR codes using Unicode text characters, a new form of phishing emerges, complicating traditional detection strategies. This novel “Unicode QR Code Phishing” technique misleads security systems that scan for threats embedded in images, as these codes consist entirely of text characters but can be rendered flawlessly across different platforms.
