You may not be familiar with Microsoft Sway or at least have never used it. But cybercriminals have been exploiting this web app to send phishing emails to unsuspecting victims, according to a new report from Avanan.

Available on the Web and as a Windows 10 app, Microsoft Sway lets you create presentations, newsletters, and documentation complete with photos, videos, and other media. You can then post your presentation on the Web via a shareable link that anyone can click to view it.

However, even if your organization doesn’t use this software, you can still be vulnerable to phishing attacks that are hosted from Sway, according to Avanan. Here’s how.

By creating and posting a Sway page on sway.office.com, criminals can devise landing pages that look legitimate but actually carry malicious content. Since the pages are hosted on Microsoft’s own Sway domain, the pages and their links are automatically trusted by URL filters and can easily fool users into thinking they’re valid.

SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)

If you log into a Sway site with an Office account, these pages appear with Office 365 styling and menus to make them appear more convincing. A malicious Sway page can include trusted brand names affiliated with Microsoft, such as a SharePoint logo. Such a page typically displays a tempting URL that invites the user to click on it but then downloads malware or triggers a spoofed login page (Figure A).

To convince potential victims to access a malicious Sway phishing page, cybercriminals will send emails with notifications for voicemails or faxes, hoping that unsuspecting users will click on the link or image.

Last year, Microsoft did roll out phishing detection to Microsoft Forms, an online product that lets people create surveys, quizzes, and polls.

Figure A

Figure A
Image: Avanan

In one example cited by Avanan, a phishing email was sent from an onmicrosoft.com email address. Because Microsoft trusts the domain, this email is able to bypass basic spoofing filters. The right type of branding and look for the email persuades users that it contains a legitimate fax.

A recent date next to the “Fax Received at” text suggests that this is a sophisticated attack since adding a timestamp makes the spoofed email seem urgent and important.

The preview image of the fax itself looks too important to ignore. Two links in the email to the alleged fax and fax service point to sway.office.com (Figure B).

Even if the intended victim doesn’t use Sway, that person will likely trust any email from office.com. Microsoft itself trusts the Sway and Office domains, so this URL will sneak past Safe Link settings. Other links in the email pointed to LinkedIn, another trusted site.

This type of phishing attack can succeed because it sends users to a trusted page hosted by Microsoft rather than a compromised website that would likely be blocked by web browsers and blacklists.

Figure B

Figure B
Image: Avanan

In response to a request for comment, a spokesperson for Microsoft sent TechRepublic the following statement:

“Contrary to Avanan’s marketing claims, Microsoft does not automatically trust any domain, including the Office and Sway domains. All links are analyzed, assessed and compared to known attack vectors, including local domains. Additionally, Microsoft performs a complete assessment of Sway content, including the scanning of links on the pages.”

Responding to Microsoft’s statement, Avanan content marketing manager Reece Guida pointed to the specific attack found by the company and said: “Our security team found that Microsoft did not block Office and Sway domains in this attack. This attack vector wasn’t known. This attack affected Avanan clients using EOP (Exchange Online Protection) and ATP (Advanced Threat Protection), and none of the links were blocked by Microsoft, suggesting that they weren’t scanned by Microsoft.”

To follow up on Guida’s comment, Avanan founder Michael Landewe said that the company can only speak to what it finds in real-world analysis.

“In this case, our customers received a burst of email messages similar to those described in the post, each pointing to a different Sway document. Most are still online,” Landewe said. “Each Sway document pointed to a spoofed Microsoft login. While the malicious sites are no longer online, at the time, each was deemed malicious by a variety of tools including Chrome, Firefox, Opera, and Microsoft’s own Edge browser. Because of this, we could only assume that the link within the Sway documents had not been scanned. (It is possible that the infrastructure that Microsoft uses to scan documents within Sway are of a different technology and have not yet taken down these pages from last month.)

“The reason that attackers host these malicious links within Microsoft servers is because both Microsoft, and users tend to trust Microsoft sites,” Landewe added. “For a long time, attackers have linked users to malware hosted in OneDrive, and many articles have been posted on this methodology. This attack vector of hosting a malicious URL within a Sway document has been known for over a year. At the time, it was considered a ‘small and apparently untargeted’ method.

“The reason for the blog post is to alert users to the fact that there are now active and aggressive campaigns in the wild,” Landewe continued. “Because we monitor and block threats behind Microsoft’s EOP and ATP, we can determine that the Sway invites are not currently being blocked by Outlook/Office 365 email filters. Because the malicious Sway documents are still online a month after the active campaign, we can only assume that Microsoft is unaware that they contain malicious links.”

How to protect yourself

Avanan customers who were targeted in this Sway phishing attack received the same message from different senders. Because the criminals use multiple senders and domains, blacklisting them won’t work.

Instead, many customers have simply blacklisted sway.office.com in their web filters. Unless your organization actively uses Sway, your best bet is to do the same and block any links from this domain, suggests Avanan.

On its end, Microsoft does offer ways that you can submit spam or phishing messages that passed through its spam filters.

This article was updated on January 14, 2020, with comments from Avanan.