Will This Sway You To Never Trust A Strange QR Code?

A Phisher’s Best Friend

The rise of the QR code has been a nightmare for security professionals; many users that wouldn’t click on a suspicious link in a random email will happily scan a QR code and visit the site associated with it.  That is a great way to send someone to somewhere they’d rather not be, and either infect the device or use the site to steal credentials.  A major attack using QR codes and targeting users of Microsoft Sway has been discovered, with some rather sophisticated techniques for remaining undetected.  Microsoft Sway presentations are popular with upper level managers, and that is exactly how this attack was targeted.  They were also  successful in more than 100 cases.

The QR code came via email, and pointed to a sites actually hosted on the sway.cloud.microsoft domain.  The attackers used a variety of techniques, such as transparent phishing which directed the user to the legitimate site but would allow the attacker to not only capture the credentials entered to log into Microsoft Sway but also to intercept or at least read the MFA codes generated after a successful login.  Even worse, they leveraged Cloudflare Turnstile to obfuscate their sites from scanners, so reputation based tools like Google Safe Browsing had no reason to block the site and let them keep running them.

Bleeping Computer posted information on who finally managed to detect the cause of the 2000-fold increase in phishing attacks against Microsoft Sway users, but as they do not specify that all sites have been shut down the campaign could still be active.  Regardless, do not trust that QR code unless you are positive it came from a valid source.