Have you heard of Microsoft Sway? If you haven’t, there’s a good chance your users don’t know about it either.
That’s why this content creation service is used in phishing attacks. Attackers can turn Microsoft Sway into most any site they like, causing both Outlook and even the most savvy recipients to trust sway.com links.
Sway is a web app for creating PowerPoint-like presentations and newsletters. It also serves as an easy point-and-click way to create a landing page that might fool your users.
For these reasons, Microsoft Sway has become a popular place for hackers to host phishing sites to run scams like the one below.
You’ll notice that:
To convince potential victims to land on the Sway phishing page, hackers send emails with notifications for voicemails or faxes.
In the email above, the same tricks that fool your users also fool Microsoft security:
Avanan clients targeted in the Microsoft Sway attack received the same message from multiple low-traffic, low-reputation senders. Because the hackers are using multiple senders and domains in this attack, Block Listing them won’t work.
Instead, we’ve seen many clients Block List sway.office.com in their web filters. Unless your organization actively uses Microsoft Sway, you should consider blocking Sway links.
Instead of sending potential victims to a compromised website that might be blocked by browsers and Block Lists, the URL in this attack goes to sway.office.com. Because the phishing page is hosted on Microsoft, it will always be considered 100% safe.
Microsoft, your users, your desktop antivirus, your browsers, and your DNS filters can’t stop this attack. Avanan identified the Sway attack using link analysis and sender reputation checks. Because Avanan deploys within Office 365, our algorithm catches attacks that Microsoft misses, like this one, before they hit the inbox.