Access Management , Account Takeover Fraud , Anti-Phishing, DMARC

Phishing Campaigns Target Senior Executives via Office 365

Top Victims Include Financial Services and Law Firms, Group-IB Warns
Phishing Campaigns Target Senior Executives via Office 365
Locations of phishing campaign victims (Source: Group-IB)

A highly targeted phishing campaign has hit high-level executives at more than 150 businesses, stealing confidential documents and contact lists, says security firm Group-IB.

See Also: Strengthening Microsoft 365 with Human-centric Security

The campaign, which targets Office 365 users, appears to have been running since mid-2019 and to trace to attackers based in Nigeria who are using attack tools built by Vietnamese-speaking developers, Singapore-based Group-IB reports. About half of the victim organizations it's identified are financial services firms, with law firms and real estate companies comprising part of the remainder.

"The campaign [has] resulted in the compromise of 156 high-ranking officers in global and regional financial hubs such as the U.S., Canada, Germany, the U.K., Netherlands, Hong Kong, Singapore, and other locations," Group-IB says in a new research report.

It's dubbed the attack campaign "PerSwaysion," because the attacks often use Microsoft Sway and other cloud-based tools to try to persuade users to visit legitimate-looking phishing pages and enter their log-in credentials.

Attackers have been abusing Microsoft Sway to create realistic-looking phishing pages. (Source: Group-IB)

The security firm says it discovered the campaign while investigating a security incident at an unnamed Asian business earlier this year and has been attempting to notify victims. It's also set up a website for organizations to submit an email address and check if it's on any of the target lists recovered by the security firm.

"Group-IB has attempted to contact all the victims and has managed to reach out to the majority of the companies affected by PerSwaysion so far," Feixiang He, a senior threat intelligence analyst at Group-IB, tells Information Security Media Group.

3-Stage Attack

Group-IB says attackers behind this campaign use legitimate cloud-based Microsoft tools - including Microsoft's Sway, SharePoint and OneNote services - to make their Office 365 user account phishing efforts look legitimate. The campaign relies on a three-stage social engineering effort:

  1. PDF attachment: This is designed to resemble a legitimate Office 365 file-sharing notification, with a "read now" link, which, if clicked, goes to stage two.
  2. Legitimate-looking file-sharing page: Users who click "read now" get taken to a page purporting to be a legitimate Microsoft Office 365 file-sharing site, built using Microsoft Sway, SharePoint or OneNote to make it look more legitimate to security tools. "However, this is a specially crafted presentation page which abuses Sway default borderless view," Group-IB says.
  3. Phishing site: That page leads to a phishing site disguised to look like a 2017-era Microsoft single sign-on page. "Here the victim is assigned a unique serial number by the phishing kit, which serves as a rudimentary fingerprinting technique," Group-IB says. If a user inputs their corporate Office 365 credentials into the page, they get routed to a separate data server and an email gets immediately sent to attackers. "This extra email is used as a real-time notification method to make sure attackers react on freshly harvested credentials."
Stage 1 of the attack involves a phishing email with attached PDF (Source: Group-IB)

"Microsoft Sway phishing is something that needs work," tweets British security researcher Kevin Beaumont. "It’s a bit of an own goal as there’s no easy way to report phishing."

Target: Office 365 Users

Office 365 users remain a prime target for attackers, most often via phishing campaigns. "A lack of multifactor authentication and support for basic authentication are underpinning their exposure," says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements.

According to the sixth Data Security Incident Response Report released by law firm BakerHostetler this week, based on more than 1,000 incidents it investigated in 2019, 38% of all the security incidents - including data breaches - that it examined traced to phishing attacks. Of those, 31% involved Office 365 account takeovers.

Source: BakerHostetler (n=1,000+)

Attackers may also attempt to gain access to a large number of accounts using credential-stuffing attacks or dictionary lists of weak passwords, and many firms fail to log their "O365" environments to help them detect breaches, or how a breach began or what data may have been stolen, says Stubley (see: Business Email Compromise: Must-Have Defenses).

Nigerian and South African Fraudsters

Who's behind these attacks? "Our research shows that the current PerSwaysion phishing kit is a product of Vietnamese-speaking developers, while the campaign proliferation and phishing activities are carried out by different groups of threat actors," says Group-IB's He.

Victims by sector (Source: Group-IB)

The earliest known activity tied to these attackers dates to July 2017 and a group of threat actors operating from Nigeria and South Africa, allegedly led by a Nigerian individual who goes by the nickname Sam, and specializing not only in phishing attacks but also online shopping scams, He says.

After discovering the PerSwaysion campaign, Group-IB says the earliest version of the phishing kit that it's been able to find dates from Aug. 9, 2019.

"The current version of the kit has several intriguing features, which allowed us to establish that it was developed by Vietnamese-speaking individuals: the user input validation module (VeeValidate_) … used in the code only includes Vietnamese localization," even though the tool can support 48 different languages, He says. VeeValidate is a tool for the Vue JavaScript user interface framework.

Cybercrime Service Economy

Why the phishing kit was first created isn't clear - was developed to order, or pitched from developers to crime gangs?

Source: Group IB

"Currently, the PerSwaysion phishing kit is only circulating among a limited number of loosely connected phishing operation groups," He says. "There is no evidence so far of public sales of the current version used by the operators of the PerSwaysion campaign on underground markets. We assume that the developers sell their product to the operators for a direct profit - a common practice in the underground community."

Security experts say that the ever-expanding cybercrime service industry makes it easier than ever for attackers, who may not have advanced coding skills, to find developers capable of giving them hacking and phishing tools that are sufficiently advanced to enable them to turn a reliable profit (see: From Cybercrime Zero to 'Hero' - Now Faster Than Ever).

Goal: Illicit Profits

Phishing attacks aimed at Office 365 users typically aim to fool recipients into transferring money to attackers, via fake invoices or other tricks. These business email compromise attacks can net millions of dollars for criminals (see: French Cinema Chain Fires Dutch Executives Over 'CEO Fraud').

Group-IB hasn't described how much victims may have lost to PerSwaysion attacks. It also says that at least so far, it hasn't been able to trace any data being sold on cybercrime markets to attackers who've been wielding the PerSwaysion phishing kit, although it says it's monitoring for such behavior. But it cautions that attackers have been stealing lists of email addresses from victims to use in further, targeted attacks. Also, any data attackers have stolen will take time to process, to see if it holds any potentially valuable information.

"Given that PerSwaysion campaign is gaining momentum and the number of victims is growing, it’s likely that victims’ business data, such as nonpublic financial records or sensitive trading information from financial services companies, could be put up for sale in underground markets," He says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.