In the last few months, multiple groups of attackers successfully compromised corporate email accounts of at least 156 high-ranking officers at various firms based in Germany, the UK, Netherlands, Hong Kong, and Singapore.
Dubbed ‘PerSwaysion,’ the newly spotted cyberattack campaign leveraged Microsoft file-sharing services—including Sway, SharePoint, and OneNote—to launch highly targeted phishing attacks.
According to a report Group-IB Threat Intelligence team published today and shared with The Hacker News, PerSwaysion operations attacked executives of more than 150 companies around the world, primarily with businesses in finance, law, and real estate sectors.
“Among these high-ranking officer victims, more than 20 Office365 accounts of executives, presidents, and managing directors appeared.”
“By late September 2019, PerSwaysion campaign has adopted much mature technology stacks, using Google appspot for phishing web application servers and Cloudflare for data backend servers.”
Like most phishing attacks aiming to steal Microsoft Office 365 credentials, fraudulent emails sent as part of PerSwaysion operation also lured victims with a non-malicious PDF attachment containing ‘read now’ link to a file hosted with Microsoft Sway.
“The attackers pick legitimate cloud-based content sharing services, such as Microsoft Sway, Microsoft SharePoint, and OneNote to avoid traffic detection,” the researchers said.
images from Hacker News