Campaigns
Quishing Mirage: The Hidden Dangers of Microsoft Sway and QR Code Phishing

Quishing Mirage: The Hidden Dangers of Microsoft Sway and QR Code Phishing

PhishingQuishingMicrosoftSwayPhishingPreventionSwayPhishing
A sophisticated phishing campaign has emerged, leveraging Microsoft's Sway platform to deliver deceptive QR code-based attacks, commonly referred to as "quishing." This campaign capitalizes on the trust users place in Microsoft-branded services and the rising trend of QR code usage to trick victims into clicking malicious links. The multi-layered attack aims to bypass traditional email security measures, making it particularly dangerous and challenging to detect.

Indicators of Compromise

nettis365.xyz
ffnthost365.cfd
login.msofficeopt.nl
gdu.msofficeopt.nl
msntntion0.cfd
sway.cloud.microsoft

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

DS0022

File

File Creation

Monitor for newly constructed files from a phishing messages to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Observed Countries250

AD (724)
AE (609)
AF (693)
AG (968)
AI (784)
AL (190)
AM (915)
AO (17)
AQ (745)
AR (355)
AS (158)
AT (478)
AU (140)
AW (470)
AX (585)
AZ (44)
BA (742)
BB (912)
BD (474)
BE (72)
BF (154)
BG (972)
BH (625)
BI (831)
BJ (710)
BL (398)
BM (185)
BN (406)
BO (652)
BQ (240)
BR (482)
BS (258)
BT (774)
BV (308)
BW (536)
BY (341)
BZ (143)
CA (117)
CC (139)
CD (256)
CF (704)
CG (83)
CH (97)
CI (422)
CK (261)
CL (884)
CM (523)
CN (73)
CO (331)
CR (863)
CU (367)
CV (798)
CW (941)
CX (102)
CY (221)
CZ (384)
DE (508)
DJ (9)
DK (138)
DM (133)
DO (533)
DZ (878)
EC (902)
EE (420)
EG (365)
EH (270)
ER (674)
ES (156)
ET (418)
FI (200)
FJ (653)
FK (679)
FM (567)
FO (600)
FR (531)
GA (126)
GB (168)
GD (533)
GE (794)
GF (200)
GG (51)
GH (853)
GI (457)
GL (46)
GM (604)
GN (899)
GP (195)
GQ (387)
GR (942)
GS (772)
GT (18)
GU (837)
GW (52)
GY (424)
HK (444)
HM (905)
HN (135)
HR (329)
HT (157)
HU (445)
ID (50)
IE (706)
IL (399)
IM (666)
IN (553)
IO (346)
IQ (92)
IR (187)
IS (88)
IT (254)
JE (770)
JM (193)
JO (796)
JP (584)
KE (847)
KG (826)
KH (972)
KI (477)
KM (122)
KN (675)
KP (206)
KR (560)
KW (557)
KY (344)
KZ (740)
LA (66)
LB (600)
LC (176)
LI (826)
LK (138)
LR (258)
LS (141)
LT (744)
LU (761)
LV (42)
LY (142)
MA (368)
MC (472)
MD (914)
ME (455)
MF (74)
MG (798)
MH (314)
MK (638)
ML (402)
MM (891)
MN (447)
MO (276)
MP (327)
MQ (762)
MR (312)
MS (341)
MT (903)
MU (715)
MV (630)
MW (185)
MX (15)
MY (253)
MZ (779)
NA (744)
NC (288)
NE (168)
NF (594)
NG (643)
NI (866)
NL (150)
NO (851)
NP (176)
NR (918)
NU (423)
NZ (881)
OM (729)
PA (11)
PE (637)
PF (912)
PG (108)
PH (663)
PK (406)
PL (686)
PM (22)
PN (243)
PR (142)
PS (332)
PT (320)
PW (286)
PY (629)
QA (402)
RE (618)
RO (55)
RS (645)
RU (744)
RW (574)
SA (560)
SB (770)
SC (895)
SD (660)
SE (406)
SG (624)
SH (642)
SI (214)
SJ (4)
SK (670)
SL (751)
SM (859)
SN (210)
SO (464)
SR (791)
SS (829)
ST (769)
SV (809)
SX (245)
SY (927)
SZ (869)
TC (105)
TD (492)
TF (728)
TG (916)
TH (306)
TJ (871)
TK (276)
TL (775)
TM (305)
TN (623)
TO (983)
TR (871)
TT (719)
TV (159)
TW (115)
TZ (541)
UA (615)
UG (547)
UM (767)
US (74)
UY (601)
UZ (623)
VA (614)
VC (512)
VE (61)
VG (121)
VI (403)
VN (187)
VU (870)
WF (400)
WS (372)
XK (611)
YE (460)
YT (63)
ZA (859)
ZM (97)
ZW (409)