PerSwaysion: Convincing Executives to Act Against Their Own Interest

iStock-1185245180-1Researchers at Group-IB have discovered a sophisticated spear phishing campaign that’s targeted executives at more than 150 companies around the world since mid-2019. The researchers have named the campaign “PerSwaysion” because the attackers abused the Microsoft Sway presentation program. The attackers seem particularly adept at using social engineering against multiple employees as part of the same attack.

“One of the defining signatures of PerSwaysion is that it spreads like wildfire jumping from one victim to another while no malware is present on a user device during the attack,” the researchers write. “New round of phishing attempts leveraging current victim’s account usually takes less than 24 hours. The campaign resulted in a compromise of 156 high-ranking officers in global and regional financial hubs such as the US, Canada, Germany, the UK, Netherlands, Hong Kong, Singapore, and other locations.”

The campaign primarily targets executives, since these employees offer the most value from a social engineering perspective. Importantly, the phishing emails are sent from the real email account of someone the recipient knows—often an executive in another organization.

“The threat actors leverage perfectly orchestrated social engineering technique by ‘persuading’ people holding significant corporate positions to open a non-malicious PDF email attachment coming from an authentic address in their contacts,” Group-IB says.

The PDF contains a convincingly-spoofed Office 365 notification instructing the victim to click a link to read a document. Clicking this link takes the victim to a Microsoft Sway presentation that similarly poses as a notification from Office 365, and leads to a phishing site designed to steal their Microsoft account credentials.

Once the attackers have compromised an executive’s account, they quickly identify the victim’s business contacts and stealthily send them phishing emails from the victim’s account. The researchers emphasize the sophistication of this operation and highlighted the measures the attackers took to fool their victims.

“PerSwaysion campaign is a living example of highly specialized phishing threat actors working together to conduct effective attacks on high ranking officers in large scale,” said Feixiang He, a Senior Threat Intelligence analyst at Group-IB. “They adopt multiple tactics and techniques to avoid traffic detection and automated threat intelligence gathering, such as the use of file-sharing services and web application hosting from reputable vendors. The campaign pursues non-trivial counterintelligence methods, for example, randomizing malicious JS file names and fingerprinting victim browsers and rejecting repeated visits. Such measures taken by cybercriminals seeking to garner sensitive corporate information requires non-standard approach to their detection and response.”

Executives at any organization are more likely to be targeted by sophisticated social engineering attacks. New-school security awareness training can provide all of your employees with an appropriate level of training for the threats they’re likely to face.

Group-IB has the story:

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews