Office 365 users: Beware of phishing emails pointing to Office Sway

One of phishers’ preferred methods for fooling both targets and email filters is to use legitimate services to host phishing pages. The latest example of this involves Office 365 users being directed to phishing and malicious pages hosted on Office Sway, a web application for content creation that’s part of Microsoft Office.

The email

The email that tries to trick recipients into visiting the phishing page isn’t stopped by Microsoft’s filters, likely because:

  • It was sent from an email address
  • Includes links in the email that point to and other trusted sites (e.g., LinkedIn).

It pretends to be a fax receipt notice, shows a small image of the supposedly received fax, and asks the user to open the attachment to view it.

The phishing Office Sway page

Those who fall for the scheme are directed to a landing page hosted on Sway, which instructs them to click on another link that will either download a malicious file or lead them to a spoofed Office 365 login page:

phishing Office Sway

“The Sway page will include trusted brand names. Most commonly, the spoofed brands are Microsoft-affiliated, just like the SharePoint logo shown in the example above,” Avanan explained.

And if the recipient is logged into an Office account, Sway pages appear wrapped in Office 365 styling with accompanying menus, making the page even more convincing.

“Attackers can turn Microsoft Sway into most any site they like, causing both Outlook and even the most savvy recipients to trust links,” the company pointed out, and noted that because the attackers are using multiple senders and domains, blacklisting them won’t work.

“Instead, we’ve seen many clients blacklist in their web filters. Unless your organization actively uses Sway, you should consider blocking Sway links,” they advised.

Hackers go phishing for the holidays

It’s that time of year again. Everyone’s busy – at work and at home. That includes cybercriminals, too. In fact, the holiday season is when busy, distracted people tend to be especially vulnerable to phishing attacks. Just one click on a phishing link in a realistic-looking email or package shipment notice from even the savviest small business user opens the door to scammers.

phishing holidays

Cybercriminals becoming more sophisticated

Those scammers have honed their skills in recent years, coming up with more sophisticated ways to find businesses via websites, social media, and email address books. With this information, they can make their outreach more targeted, which makes the email appear more legitimate to the recipient.

What’s more, they often take advantage of the data they’ve acquired via breaches at retailers and other companies to create realistic-looking emails that appear to have come from co-workers, friends, vendors, clients or banks. Some even try to pass themselves off as IRS agents. These social engineering tactics further deceive the recipient into believing that the communication is trustworthy.

Small businesses under attack

Small businesses are especially prone to these phishing attacks. Because they have access to fewer cybersecurity resources and operate on tighter budgets than larger organizations, small businesses are frequent targets for scammers. Even if security isn’t in their budget, small businesses will end up paying for it one way or another: the average cyberattack costs a small business $53,987. Of course, that’s far less than the millions of dollars we hear about when medium and large enterprises are the victims, but it’s proportionally substantial.

Phishing for the holidays

It’s estimated that one in every 99 emails contains a phishing attack, which amounts to slightly fewer than five emails per employee in a five-day work week for a small business. What’s more, 30% of phishing emails typically make it past security built into popular cloud email providers like Office 365.

Given those kinds of success rates, it’s no surprise that scammers continue to increase the number of phishing attacks they launch every year. In 2018, 83% of people received phishing attacks worldwide, resulting in decreased productivity, loss of propriety data, reputational damage, and other disruptions and damages.

In recent years, scammers have upped their sophistication, making it even more difficult for unsuspecting victims to recognize a phishing email for what it is – especially when the pace of nearly everything picks up during the holidays. But there are several things you can do to avoid getting reeled into a phishing scam when you get an email (or text) that looks like it’s from someone you know and asks you to click on a link to update an account or your information.

Is it real?

Remember, it’s easy for scammers to spoof logos and create fake mail addresses to make it look like it’s coming from a person or company you know. But you should always double-check the address. It’s easy for a scammer to make small changes, such as replacing an “m” with an “r” and an “n,” which you might not notice at first glance. And beware of any message that’s pressuring you to act immediately to prevent something bad from happening. Remember, too, that the IRS will never send you email.

Is there an attachment or a link?

Be especially cautious if the email is from someone you don’t know and you’re being asked to click on a link, type in your password, account name or number, or provide other sensitive information. The exception is when you’re expecting a link or an attachment from someone you know and trust (for example, your lawyer sending a contract you discussed, a client sending details for an ad you’re developing, or a vendor verifying an order you placed).

Are you familiar with the sender?

If you get an email you weren’t expecting with an attachment or a link, verify that it’s coming from the person you think it is. But instead of clicking on “reply” or copying the email address, call the person or use an email address you already have on file.


But what if you or someone in your company inadvertently falls for a phishing scheme? First, contact whoever is in charge of your company’s IT systems and let them know what happened. And since phishing attacks (even during the holidays) often strike more than one person in a company, be sure to talk to your colleagues – to alert them and confirm that no one else has made the same mistake.

Of course, you should also notify any affected parties, including customers and suppliers. Then limit the damage by changing your passwords and disconnecting from your company’s network. Finally, report the incident to the appropriate authorities and report spam to the Federal Trade Commission.

And finally, enjoy the holidays.