- I'm taking these 4 gadgets to the pool this summer - and why they make such a big difference
- '코트 안팎에서 데이터와 AI 활용하기'··· NBA팀 올랜도 매직의 디지털 여정
- 로봇 개와 AI 플랫폼의 만남···보스턴다이내믹스, 공장 관리 혁신 사례 공개
- 패브릭에서 데이터-AI 통합 중인 MS··· 그 이유는?
- Phone theft is on the rise - 7 ways to protect your device before it's too late
Microsoft Sway Pages Weaponized to Perform Phishing and Malware Delivery
Threat actors have recently conducted phishing campaigns using Microsoft Sway and used the platform to distribute malware within organizations.
The findings come from cybersecurity experts at Proofpoint, who released an advisory about the new threat on Monday.
“An attacker can weaponize a Sway page by either compromising a Microsoft 365 account within the target organization (to phish more users) or creating a Sway page within their own Microsoft 365 account outside the target organization,” reads the technical write–up.
According to the advisory, most phishing attack vectors observed by Proofpoint involved clicking a direct link to a phishing page. The company also highlighted that Microsoft typically uses a warning pop–up to attempt to discourage users from falling prey to such phishing attempts.
“However, Proofpoint cloud security research indicates that attackers can phish users using an embed method within Microsoft Sway without a warning pop–up,” the company wrote. “This involves a user clicking on a link in an embedded malicious document within a Sway page.”
Further, while Microsoft only allows uploads of media files in Sway pages (and actively blocks uploads of executable files), there are ways to use Sway to distribute malicious executables by embedding the hosted malware within the platform.
This can be done, as mentioned above, by hosting a malicious file on Microsoft OneDrive or SharePoint and embedding it in the new Sway page. Malicious files can also be sent to users within the organization, who may open them even though they contain malware.
“Threat actors constantly seek new ways to steal users’ credentials and acquire access to users’ accounts,” Proofpoint wrote. “As this blog illustrates, Microsoft Sway serves as a suitable platform for various forms of cloud attacks since it’s a legitimate application hosted on a seemingly benign domain.”
To mitigate the impact of these threats, Proofpoint recommended companies educate users to be aware of Microsoft Sway–based embedded phishing and malware risks and, if necessary, limit the usage of Microsoft Sway in cloud environments.
Firms should also set up comprehensive account compromise detection using a cloud access security broker (CASB) solution and isolate end–user traffic when users click on links within Microsoft Sway pages.
