One of phishers’ preferred methods for fooling both targets and email filters is to use legitimate services to host phishing pages. The latest example of this involves Office 365 users being directed to phishing and malicious pages hosted on Office Sway, a web application for content creation that’s part of Microsoft Office.
The email
The email that tries to trick recipients into visiting the phishing page isn’t stopped by Microsoft’s filters, likely because:
- It was sent from an onmicrosoft.com email address
- Includes links in the email that point to sway.office.com and other trusted sites (e.g., LinkedIn).
It pretends to be a fax receipt notice, shows a small image of the supposedly received fax, and asks the user to open the attachment to view it.
The phishing Office Sway page
Those who fall for the scheme are directed to a landing page hosted on Sway, which instructs them to click on another link that will either download a malicious file or lead them to a spoofed Office 365 login page:
The Sway page will include trusted brand names. Most commonly, the spoofed brands are Microsoft-affiliated, just like the SharePoint logo shown in the example above.
And if the recipient is logged into an Office account, Sway pages appear wrapped in Office 365 styling with accompanying menus, making the page even more convincing.
Attackers can turn Microsoft Sway into most any site they like, causing both Outlook and even the most savvy recipients to trust sway.com links and because the attackers are using multiple senders and domains, blacklisting them won’t work.
One effective way to prevent these phishing emails from coming in is to blacklist sway.office.com in your email spam filters. Unless your organization actively uses Sway, you should consider blocking Sway links.
What to Do If You Suspect a Phishing Attack
If you get an email or a text message that asks you to click on a link or open an attachment, answer this question: Do I have an account with the company or know the person that contacted me?
If the answer is “No,” it could be a phishing scam.
If the answer is “Yes,” contact the company using a phone number or website you know is real. Not the information in the email. Attachments and links can install harmful malware.
When in doubt, always contact your IT department for further analysis of the email in question, most phishing emails are very well socially engineered and take an expert set of technical eyes to identify. Contact us for expert computer services in Watsonville, Adaptive can help protect your business from Cybersecurity threats.