Recent experts’ analysis shows that a phishing kit called PerSwaysion has been used for thousands of attacks worldwide that threaten organisations across different industries. It provides a way for threat actors to execute relatively easy phishing campaigns with lesser effort.
The PerSwaysion phishing kit uses Microsoft file-sharing services, like OneNote, Sway, and SharePoint, to trap its victims to credential-stealing websites. According to experts, the campaign was launched as far back as October 2017 and still is active even though the group’s phishing kit and its tactics, techniques, and procedures (TTP) were publicly disclosed.
Various organisations victimised by the PerSwaysion phishing campaign involved financial services, healthcare, engineering, aerospace, technology, pharmaceutical, government, and more.
A data analysis conducted on URLscan revealed that for the past 18 months, over 7,000 people from different industries and organisations have already landed on 444 unique PerSwaysion portals. There have been hundreds of organisations affected by the campaign since at least May 2020. Moreover, since the campaign has been active for so long already, it is safe to say that every organisational industry has already been impacted.
Group-IB, a security vendor, is credited for giving the phishing kit its name after observing its extensive abuse on the Sway service as a part of an attack chain. They also described the campaign as a group of small yet targeted phishing attacks launched by different criminal actors.
Countries named to be impacted by the campaign include several organisations from the US and Canada, and the rest from the UK, Germany, Hong Kong, and the Netherlands.
Threat actors of the PerSwaysion campaign were also described to be deploying a three-phase operation in luring victims to phishing sites to steal their credentials. The first phase includes sending a well-crafted phishing email to the victims with an attached PDF file pretending to be a Microsoft file-sharing alert.
Upon clicking the ‘Read Now’ hyperlink on the email, victims are redirected to a Microsoft Sway-hosted file or another Microsoft file-sharing service. These pages look like authentic Microsoft sites but are credential-grabbing sites that trigger the attack.
With the use of a network interpreter technology, researchers also discovered other attack vectors used by threat actors. The technology lets organisations upload any traffic flow format and metrics grouped into over 30 categories. It helped show that some PerSwaysion attacks used URL shorteners to evade email filters and make URLs look legitimate. Another vector is how attackers used email platforms like sendgrid.net to send out phishing emails directly to the victims’ email addresses.
As of writing, experts have not yet identified how the phishing kit PerSwaysion is marketed and developed.
