Microsoft Sway Pages Weaponized to Perform Phishing and Malware Delivery

  • Threat actors have recently conducted phishing campaigns using Microsoft Sway and used the platform to distribute malware within organizations.

    The findings come from cybersecurity experts at Proofpoint, who released an advisory about the new threat on Monday.

    “An attacker can weaponize a Sway page by either compromising a Microsoft 365 account within the target organization (to phish more users) or creating a Sway page within their own Microsoft 365 account outside the target organization,” reads the technical write–up.

    According to the advisory, most phishing attack vectors observed by Proofpoint involved clicking a direct link to a phishing page. The company also highlighted that Microsoft typically uses a warning pop–up to attempt to discourage users from falling prey to such phishing attempts.

    “However, Proofpoint cloud security research indicates that attackers can phish users using an embed method within Microsoft Sway without a warning pop–up,” the company wrote. “This involves a user clicking on a link in an embedded malicious document within a Sway page.”

    Further, while Microsoft only allows uploads of media files in Sway pages (and actively blocks uploads of executable files), there are ways to use Sway to distribute malicious executables by embedding the hosted malware within the platform.

    This can be done, as mentioned above, by hosting a malicious file on Microsoft OneDrive or SharePoint and embedding it in the new Sway page. Malicious files can also be sent to users within the organization, who may open them even though they contain malware.

    “Threat actors constantly seek new ways to steal users’ credentials and acquire access to users’ accounts,” Proofpoint wrote. “As this blog illustrates, Microsoft Sway serves as a suitable platform for various forms of cloud attacks since it’s a legitimate application hosted on a seemingly benign domain.”

    To mitigate the impact of these threats, Proofpoint recommended companies educate users to be aware of Microsoft Sway–based embedded phishing and malware risks and, if necessary, limit the usage of Microsoft Sway in cloud environments.

    Firms should also set up comprehensive account compromise detection using a cloud access security broker (CASB) solution and isolate end–user traffic when users click on links within Microsoft Sway pages.