Microsoft Sway is the latest cloud platform and service to be attacked by criminals. Hackers use the product to trick users into revealing Microsoft 365 login details by using QR codes to deliver malicious payloads.


The QR code phishing or “quishing” is not new. This Microsoft Sway issue is relatively new and affects businesses in North America and Asia.


What is Microsoft Sway? Why has it been attacked?


Microsoft Sway, a cloud-based tool for content creation, is included with Microsoft 365 subscriptions. Sway allows users to send interactive content, such as newsletters and presentations.


Hackers target Microsoft credentials by using Sway with a QR code exploit. This allows them to steal information and gain access to protected networks. Threat actors use a Sway that contains a malicious QR Code to launch the attack. They hope to trick users into scanning the code. They redirect the user to a phishing landing page that looks identical to Microsoft 365's login page.


If the victim now enters his or her login credentials including the multi-factor authentication credentials the hackers will have all the information they need.


The danger of QR code exploits


Microsoft Sway can be a very effective tool for launching phishing campaigns.


This is an example of “transparent” phishing. Because the user must login to their Microsoft Sway account to view the content, they believe the message to be legitimate and more likely open malicious pages. The hacker never knows that the user has given their credentials.


This vulnerability in Microsoft Sway is also concerning because many people scan malicious codes with their mobile devices. The majority of smartphones, particularly personal devices, do not have the same level protection as computers. This makes it easier for malicious actors to cause havoc using QR codes.


QR codes are also often resistant to Microsoft security protocols and tools. Since most QR codes are JPG images, antivirus and malware detection software cannot detect whether they contain malicious content. They can then slip past email protection programs unnoticed.


Even as security vendors create new tools for scanning images, cybercriminals remain one step ahead. To avoid detection, some create QR codes with Unicode text instead of images. Hackers are always looking for new ways to avoid detection, and to deliver malicious payloads.


How to Avoid these New Quishing Attacks


To avoid being a victim of a quishing via Microsoft Sway, continue to follow your best practices for preventing phishing.

author avatar
Lacy Moore