Microsoft Sway abused the PerSwaysion spear-phishing operation

Many threat actors who use phishing attacks against business goals have relied on Microsoft Sway to entice victims to provide their Office 365 credentials.

The campaign, called PerSwaysion Security Researcher, is based on the phishing kits offered as part of the Malware as a Service (MaaS) operation and is a well-planned activity.

In addition to accessing company emails, fraudsters receive confidential company information, which gives them a wide range of opportunities to make money. They may engage in financial fraud, sell information to others or benefit from covert business strategies.

Objectives for cherry trees

PerSwaysion has been in service since at least August 2019, and several versions of the phishing kit have found emails from at least 27 opponents.

To date, they have defrauded at least 156 high-ranking individuals in small and medium-sized financial services companies, law firms and real estate groups.

More than 20 of the Office 365 accounts collected are held by executives, presidents and directors of organizations in the United States, Canada, Germany, the United Kingdom, the Netherlands, Hong Kong and Singapore.

Security researchers from IB Group, a Singapore based cybersecurity company, discovered the campaign in their response to incidents in the first quarter of the year and named it PerSwaysion because of the widespread abuse of the Sway service. SharePoint and OneNote services are also used, but to a lesser extent.

Microsoft Sway is a storytelling application that makes it possible to create interactive communication (reports, presentations, stories, newsletters).

In cooperation with PerSwaysion, this service is used in the final phase of the attack to give the victims a realistic document that directs them to the phishing site.

Good quality prefix, the sender is not a fake

Victims are selected after the information has been made public. IB Group found an e-mail address for the fraudster who registered a LinkedIn account. They think it was used to find potential targets in the network.

The attack starts with an email from an external trading partner whose account has been compromised. An innocent PDF file is attached and nothing is manipulated, so that the automatic recognition systems remain silent.

However, the IB Group stresses that certain cases should be considered as suspicious:

  • Sender and receiver are one and the same person (the real receivers are hidden in the bcc list).
  • the subject of the letter is only the full name of the partner company
  • the first sentence contains words separated by the word + instead of a space

Sacrifice of Rock

The role of the PDF is to mimic a notification from Office 365, which the opponent did very well by adding the full name, email address and company name of the sender.

But not everything is in place. Some random strings are present in the document, although they have the same color as the background and are only visible when all content is selected (Ctrl+A).

When an item clicks the Read Now link, it goes to a file hosted on a Microsoft Sway server that looks like a real Office 365 file sharing site.

If you look closely, you will see that this is a presentation page that uses the infinite display of Sway.

If you click the Read Now link on this page, you will be redirected to a phishing site disguised as a single Microsoft registration page. There’s another mistake.

What the phishingkit uses for the external interface is the old Microsoft Outlook login page, revision number 6.7.6640.0, which was used in 2017. The Outlook logo stuck on it is a fairy tale that says something is wrong.

Separate infrastructure

The access data collected in this way is sent from the email address specified in the page code to a separate data server, indicating that multiple groups are using the PerSwaysion phishing service.

This additional e-mail seems to be used as a real-time notification method to ensure that fraudsters respond to freshly prepared references, according to an IB Group research report published today.

Despite the mistakes that can be attributed to an amateur, the facts show that they are people with experience in building infrastructure.

Unlike the traditional phishing sets that emphasize visual similarities, the PerSwaysion players pay attention to the collection and graduation.

They modulated the kit into a phishing user interface that controls the web application, an account hosting server and a real-time notification service.

In its report, the IB Group lists the code of the phishing kit in detail and states that it corresponds to the user interface of modern web applications and that most IT tasks are customer-oriented. This lowers the rent for cloud computing.

After collecting their references, PerSwaysion units perform the following operations for a short period of time. You log into the account after six hours and reset the email after one hour.

Within 21 hours of the first compromise, the fraudsters create a new PDF file with the victim’s contact details and send it to those who have recently contacted the victim.

PerSwaysionPlayer monitoring

Like MaaS, PerSwaysion is currently used by different groups. Using its resources, the IB Group has established that the viskit team has a strong relationship with the Vietnamese community.

As far as consumers of the kit are concerned, the researchers found email addresses controlled by 27 subgroups around the world known to be involved in phishing campaigns.

We assume that a group of developers sell their product to various scammers with the aim of making a direct profit – a common practice in the underground community – Group IB

The image below shows the detected email addresses and group names that were determined with the PerSwaysion Phishing Kit:

On the basis of this information, the investigators were able to establish that most subjects were involved in phishing scams against major targets or had been involved in intelligence operations for years.

One of the former groups using the PerSwaysion suite can be traced back to crooks operating in Nigeria and South Africa, led by a man named Sam.

IB Group has created a dedicated website where companies can check if their emails have been compromised as part of the PerSwaysion campaign.

You May Also Like