EvoCorp uncovers PerSwaysion — sophisticated phishing campaign targeting executives worldwide

Group-IB, a Singapore-based cybersecurity company, has identified a series of sophisticated successful phishing attacks against the management and executives of more than 150 companies around the world. The campaign, dubbed PerSwaysion due to the extensive abuse of Microsoft Sway, has been active since at least mid-2019 and was attributed to Vietnamese speaking developers and Nigerian operators. Сybercriminals behind the PerSwaysion campaign gained access to many confidential corporate MS Office365 emails of mainly financial service companies, law firms, and real estate groups. The PerSwaysion campaign proliferates with alarming rates by leveraging compromised accounts’ email data to select further targets who hold important roles in their companies and share business relations with the victims. Group-IB continues to work with the relevant parties in local countries to inform the affected companies of the breach.

Not brute force but only PerSwaysion
PerSwaysion is a highly-targeted phishing campaign. One of the defining signatures of PerSwaysion is that it spreads like wildfire jumping from one victim to another while no malware is present on a user device during the attack. New round of phishing attempts leveraging current victim’s account usually takes less than 24 hours. The campaign resulted in a compromise of 156 high-ranking officers in global and regional financial hubs such as the US, Canada, Germany, the UK, Netherlands, Hong Kong, Singapore, and other locations. The PerSwaysion campaign primarily focuses on financial services companies (~50%), law firms, and real estate companies to conduct further supply-chain attack against their clients and business contacts. Group-IB set up a website, where everyone can check if their email was compromised by PerSwaysion.

The PDF attachment is a well-crafted notification of Office 365 file sharing to the victim mimicking legitimate format. Upon clicking “Read Now”, the victim, which in most cases is a high-ranking officers, is taken to a file hosted on MS Sway in this case. The attackers pick legitimate cloud-based content sharing services, such as Microsoft Sway, Microsoft SharePoint, and OneNote to avoid traffic detection. The page resembles an authentic Microsoft Office 365 file sharing page. However, this is a specially crafted presentation page which abuses Sway default borderless view.

© 2020 EvoCorp. All rights reserved