Menu Close

Beware of phishermen with spears! ‘PerSwaysion’ spear-phishing dupes users to get 365 log-in credentials

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Microsoft Sway has been noted being used to deceive victims into giving up their private 365 log-in credentials in a newly observed spear-phishing campaign.

Cyber-criminals appear to be now using ‘Microsoft Sway’ to dupe users into revealing Office 365 login credentials, says the latest research.

3-stage process

blog post  posted by Feixiang He, Senior Threat Intelligence Analyst at Group-IB, quantifies that the phishing attack, which has been named PerSwaysion, is a 3-stage process which takes a target from a PDF attached email, through then to Microsoft file sharing services, & then to the final phishing site.

It was warned that cyber-criminals have shown an ‘adequate level of phishing capabilities’ since Aug. 2019, the earliest moment the campaign left evidence of their activities on the internet. PerSwaysion  seems to ensnare many layers of traffic ‘whitewashing’ to get around as much corporate network defence as can be achieved.

“In the current wave of attacks, scammers primarily abuse Microsoft Sway file sharing service as the jumping board to redirect victims to actual phishing sites,” Feixiang He cautioned.


Group-IB also noticed there were other variations using Microsoft SharePoint & OneNote.

“The scammers pick legit file sharing services which have the ability of rendering seamless preview of uploaded files with phishing links. This key feature helps scammers construct web pages that strongly resemble authentic Microsoft experience,” explained Feixiang.

Back-end Servers

Also, criminals seem to separate phishing application & victim data harvesting back-end servers, giving rise to additional identity masquerading.

“Such application architecture also improves flexibility and operational continuity when phishing sites are taken down or blocked. Scammers simply deploy new instances under new domain names without disrupting overall data collection operations,” he maintained.

Feixiang said that the PerSwaysion campaign is yet another living example of highly specialised phishing threat actors working together to conduct effective attacks on a large-scale.

High Ranking

It is claimed that perhaps 156 high ranking officers of organisations are compromised. Researchers commented that high-profile victims are mainly based in the USA & Canada, but the remainder are in global & regional financial hubs e.g. Germany, the UK, Netherlands, Hong Kong & Singapore etc.

Group-IB has now organised a website where checks can be done to see if their email address was actually compromised by PerSwaysion. They added they would work with ‘appropriate parties’ in local countries in order to advise companies of breaches.


“The campaign phishing kit is primarily developed by a group of ‘Vietnamese speaking malware developers’ while campaign proliferation & hacking activities are operated by other independent groups of scammers,” he stated.

Adam Palmer, Chief Cyber-Security Strategist at Tenable, has further added that the ‘optimum means’ for an organisation to defend itself against this type of attack, in addition obviously to user awareness, is to engage in ‘good cyber-hygiene’, for example, by identifying those critical risks & patching systems with ‘common vulnerabilities’ liked by criminals, blocking malicious sites & IP addresses, enforcing multi-factor authentication (MFA), & using encryption for sensitive data.

“These recommendations make it far harder for criminals to be successful,” he counselled.

Reputable Applications

Ciaran Byrne, Head of Platform Operations at Edgescan, observed that the PerSwaysion attack, as it has been dubbed, appears to just utilise ‘reputable applications’ in order to begin a phishing platform.

“There are countless avenues a nefarious actor can take to trick a user into carrying out actions they have no intention of doing, and this seems no different. Vigilance is important, & people should always be wary when submitting any details or clicking on links in any domain. Double check the URL before entering sensitive information and hover over a link to view what the link actually is,” he concluded.


Matters here clearly to be taken extremely seriously by all professionals!


More To Explore

Community Area


Home Workouts


spaghetti Bolognese