Sway and Pray
Forcepoint Security Labs have recently come across a novel method for distributing malicious links that will bypass many link scanners and domain reputation classifiers and could see even suspicious minded people click that link: Microsoft Sway.
Sway is member of the Office 365 group of apps and is very much like PowerPoint in that they are both presentation tools. Sway is a little more streamlined and provides, among other things, the ability to send a multimedia newsletter as a link. The newsletter could be as simple as a single image and is hosted on the Office.com domain, as we shall see.
Sway closer...
What we have observed is a malicious clickable link embedded in a Sway newsletter being hosted on the very legitimate sub-domain ‘sway.office.com’. As can be seen in Figure 1 the newsletter contains some large text which comprises a hyperlink to the malicious domain.
Interestingly, as the links are embedded in the hosted newsletter (which is treated as an image by the browser) and not part of the page source code it will be very difficult for many scanners and parsers to be able to extract them for analysis, further hindering detection. Furthermore, office.com is very probable to be not only whitelisted by security tools but also trusted by humans, and people are much more likely to believe that anything living on a legitimate domain is itself legitimate or at the very least not immediately suspicious.
In the past two months we have observed approximately 1100 phishing mails using the identified URL which is not representative of a particularly large campaign. There doesn’t appear to be a specifically targeted location for this campaign but rather a ‘spray-and-pray’ approach.
At the time of analysis, the URL redirects through multiple domains according to a user’s geographical location, to eventually end at porn-based email harvesters.
Conclusion
While this particular campaign is small and apparently untargeted, the novel approach of using Sway merits some discussion. Of course, phishing and spam are the obvious use cases and the most common attacks we expect we will see.
However, consider a more advanced approach: Sway is used to carefully craft a target specific newsletter with embedded links to a newly created typosquatted domain containing the landing page for an exploit kit. This would be a particularly effective vector for a targeted compromise somewhat akin to a strategic web compromise and, as mentioned previously, has a high probability of circumventing many security controls.
As has been shown, the use of an office domain to allow malicious links to be spread is a challenge to defenders due to the trust relationship many companies have with O365. Organisations need to focus not only on static monitoring of activity, but on risk-adaptive technologies which can detect, disrupt and deny this type of behaviour on trusted platforms as early as possible.
Protection Statement
Forcepoint customers are protected against this threat by Forcepoint Email Security and Forcepoint Web Security at the following stages of attack:
- Stage 3 (Delivery) – Phishing emails are identified and blocked.
- Stage 4 (Exploitation) – Malicious websites are identified and blocked.
IOCs
hxxps://sway.office[.]com/b8CB6ivdvp6sc3Qg