New Phishing Attack Uses QR Codes and Microsoft Sway to Steal Login Details

Cybersecurity experts are sounding the alarm on a new phishing campaign that uses QR codes—referred to as quishing—to steal user credentials by exploiting Microsoft Sway. The campaign takes advantage of the platform’s infrastructure to host fake login pages, once again showcasing how legitimate cloud services can be misused for malicious purposes.

“Attackers use trustworthy cloud applications to make their content appear more credible to victims,” explained a researcher from a leading cybersecurity lab. “When a victim is already logged into their Microsoft 365 account, they are more likely to trust a Sway page, further enhancing the scam’s effectiveness. These pages can be shared via URL, visual links, or embedded directly into websites.”

This campaign has primarily targeted users in Asia and North America, with industries such as technology, manufacturing, and finance being the hardest hit.

Microsoft Sway, a cloud-based tool for creating newsletters, presentations, and documents, has been part of the Microsoft 365 suite since 2015. Starting in July 2024, there was a staggering 2,000-fold increase in traffic to unique phishing pages hosted on Sway. These pages serve fake QR codes, which, when scanned, redirect users to phishing websites designed to steal their Microsoft 365 login credentials.

To avoid detection, some of these quishing campaigns have employed Cloudflare Turnstile to obscure their domains from static URL scanners. Additionally, the attacks use adversary-in-the-middle (AitM) tactics, allowing them to intercept both login credentials and two-factor authentication (2FA) codes by mimicking legitimate login pages.

“QR codes pose unique challenges to defenders because the URL is hidden within an image, allowing it to bypass email scanners that only analyze text,” the researcher added. “Moreover, when users scan these codes with a mobile device, they are often more vulnerable due to weaker security measures on phones compared to desktops and laptops.”

This isn’t the first time Microsoft Sway has been exploited for phishing. Back in April 2020, a campaign named PerSwaysion compromised the email accounts of over 150 senior executives in Germany, the U.K., the Netherlands, Hong Kong, and Singapore by using Sway to direct them to credential-stealing sites.

As quishing attacks evolve, they are becoming more sophisticated, outpacing the security measures designed to block these threats. In a recent twist, attackers have begun creating QR codes using Unicode text characters instead of images, a method termed ‘Unicode QR Code Phishing.’

This approach is particularly dangerous because it can bypass traditional image-based detection systems. The Unicode QR codes appear flawlessly on screens but are difficult to detect when viewed in plain text, complicating security efforts.

To prevent falling victim to these sophisticated phishing campaigns, it is crucial to remain vigilant and skeptical of unexpected QR codes, especially those received via email or messages. Always verify the source before scanning a QR code, and consider using dedicated security apps that can analyze QR codes for potential threats.