I use Microsoft’s Sway; I really like it for image-heavy content. Unfortunately, the cybercriminals like it too, for a different reason. Let’s talk about how to protect your organization from Sway-based phishing and malware.

This topic hadn’t been on my radar until earlier this week, when I got a call from a blog reader in Las Vegas (thank you content marketing!) The caller thought he might have fallen for a phishing message and wanted our help in responding to the attack. As I gathered the details during our call, he described this scenario.

• He received an email to each of several different email addresses, all from a colleague at another company. The emails said that there was an attached file for him. (This is one of the lures we describe when we conduct anti-phishing training.)
• When he followed the file link, it took him to a Sway page. On that page he found a fake page asking him to enter his username and password. Luckily, he knew to hover over anything clickable (also something we teach in our anti-phishing training) and got suspicious when he saw an address with a .ml domain.

Fortunately, he didn’t enter any information and we were able to determine that his computer didn’t appear to be compromised. But it made me wonder: what is it about Sway that would encourage Sway-based phishing and malware? My initial thought was that Sway supported lots of media types, which can be used to disguise malware executables. As it turns out, there’s another explanation, via this TechRepublic article.

How Sway-based Phishing and Malware Can Work

Cyber criminals take advantage of the fact that Sway pages are hosted on a domain already trusted by Microsoft: sway.office.com. As a result, it’s easier to avoid detection from URL filters. So, Sway-based phishing and malware has a better chance of avoiding detection. What’s more, if the user is logged into their Microsoft account when they encounter a Sway-based phishing and malware page, it will automatically be rendered with Office 365 styles, making the page seem more genuine.

There’s another twist to the story. Sway is set up to allow for sharing only with authenticated users. This is generally a good idea. It means that if I send you a link to a Sway, clicking on the link will take you to a page asking you to enter your Microsoft account credentials. An unsuspecting user could be fooled into providing credentials to a fake login page.

Protect Your Organization with These Two Steps

Microsoft will get this fixed, I’m sure. (They already fixed this problem in their Forms service.) In the mean time, take these two steps.

• Consider blacklisting sway.office.com. If your organization isn’t using Sway, users shouldn’t be affected.
• If users are using Sway, (and even if they’re not) make sure you provide anti-phishing training. A knowledgeable user is still a part of every organization’s security posture.