A new phishing campaign has been identified that uses the Microsoft Sway file sharing service as part of a three-stage attack with the goal of obtaining the Office 365 credentials of high-level executives.

Group IB researchers identified the campaign and named it PerSwaysion, although versions of the attack have been identified that have used OneNote and SharePoint. The campaign is highly targeted and has been conducted on high-level executives at more than 150 companies. The individuals behind the campaign are believed to operate out of Nigeria and South Africa, with the earliest traces of the attacks indicating the campaign has been running since around the middle of last year.

The PerSwaysion attack starts with a spear phishing email sent to an executive in the targeted organization. The phishing emails include a PDF file attachment with no malicious code embedded. The PDF file just includes a link that the user is required to click to view the content of the file. The link directs the user to file on a Microsoft Sway page, which also requires them to click a link to view the content. Microsoft Sway allows the previewing of the document and displays the content without the user having to open the document. The document states the name of the sender – a known contact – and that individual’s email address with the message that a file has been shared for review along with a hyperlink with the text ‘Read Now’. Clicking the link directs the user to a phishing page with an Office 365 Single Sign-on login prompt.

The initial PDF file, Microsoft Sway page, and the login prompt on the phishing page are all branded with Microsoft Office 365 logos, and it is easy to see how many victims would be fooled into disclosing their credentials.

Once credentials have been obtained, they are used the same day to access the Office 365 account, email data is copied from the account, and it is then used to send further spear phishing emails to individuals in the victim’s contact list. The sent emails are then deleted from the victim’s sent folder to ensure the attack is not detected by the victim.

The emails include the sender’s name in the subject line, and since they have come from the account of a known contact, they are more likely to be opened. The lure used is simple yet effective, asking the recipient to open and review the shared document.

Many of the attacks have been conducted on individuals at companies in the financial services sector, although law firms and real estate companies have also been attacked. The majority of attacks have been conducted in the United States and Canada, United Kingdom, Netherlands, Germany, Singapore, and Hong Kong.

It is possible that the attackers continue to access the compromised emails accounts to steal sensitive data. Since the campaign targets high level executives, the email accounts are likely to contain valuable intellectual property. They could also be used for BEC scams to trick employees into making fraudulent wire transfers.