- 퀄컴, 베트남 빈AI의 생성형 AI 부문 ‘모비안AI’ 인수··· AI 솔루션 고도화 박차
- 블로그 | 정치적 격동기에 IT 리더가 할 수 있는 역할
- 완전 자율 주행 자동차가 관광 산업에도 영향··· 웨이모, ‘2025 관광 영향 보고서’ 발간
- European cloud group invests to create what it dubs “Trump-proof cloud services”
- The OnePlus 12 is still a powerhouse in 2025 - and it's on sale for a limited time
Microsoft Sway Pages Weaponized to Perform Phishing and Malware Delivery
Threat actors have recently conducted phishing campaigns using Microsoft Sway and used the platform to distribute malware within organizations.
The findings come from cybersecurity experts at Proofpoint, who released an advisory about the new threat on Monday.
“An attacker can weaponize a Sway page by either compromising a Microsoft 365 account within the target organization (to phish more users) or creating a Sway page within their own Microsoft 365 account outside the target organization,” reads the technical write–up.
According to the advisory, most phishing attack vectors observed by Proofpoint involved clicking a direct link to a phishing page. The company also highlighted that Microsoft typically uses a warning pop–up to attempt to discourage users from falling prey to such phishing attempts.
“However, Proofpoint cloud security research indicates that attackers can phish users using an embed method within Microsoft Sway without a warning pop–up,” the company wrote. “This involves a user clicking on a link in an embedded malicious document within a Sway page.”
Further, while Microsoft only allows uploads of media files in Sway pages (and actively blocks uploads of executable files), there are ways to use Sway to distribute malicious executables by embedding the hosted malware within the platform.
This can be done, as mentioned above, by hosting a malicious file on Microsoft OneDrive or SharePoint and embedding it in the new Sway page. Malicious files can also be sent to users within the organization, who may open them even though they contain malware.
“Threat actors constantly seek new ways to steal users’ credentials and acquire access to users’ accounts,” Proofpoint wrote. “As this blog illustrates, Microsoft Sway serves as a suitable platform for various forms of cloud attacks since it’s a legitimate application hosted on a seemingly benign domain.”
To mitigate the impact of these threats, Proofpoint recommended companies educate users to be aware of Microsoft Sway–based embedded phishing and malware risks and, if necessary, limit the usage of Microsoft Sway in cloud environments.
Firms should also set up comprehensive account compromise detection using a cloud access security broker (CASB) solution and isolate end–user traffic when users click on links within Microsoft Sway pages.
