PerSwaysion: Phishing Attacks against Top Executives

More than 150 companies have been hacked

Don’t read “Read now”!

Nowadays, we are facing a new type of targeted phishing cyberattack called PerSwaysion. Like most of the regular phishing attacks, it aims to steal Microsoft Office 365 credentials. Fraudulent emails are sent to lure victims with a non-malicious PDF attachment containing ‘read now’ link that leads to file hosted on Microsoft Sway, SharePoint or OneNote. Those legitimate cloud-based content sharing services are intentionally chosen to avoid traffic detection by the IDS and other security systems. The attack mainly targets top level management representatives and by now more than 150 companies’ executives were hacked.

On the next step a specially crafted landing page on Microsoft Sway/SharePoint service is introduced to the victim. It further contains another “read now” link that redirects to the actual phishing site. It encourages the user to enter their email account credentials or other confidential information.

Once stolen, attackers immediately move on to the next stage and download victims’ email data from the server using IMAP APIs. Тhen, they impersonate the identities to further target people who have recent email communications with the current victim and hold important roles in the same or other companies.

Easy Victims

The core of the approach is the users who are bypassing all the security controls, implemented in the business communication infrastructure and easily become victims. The biggest problem of PerSwaysion is not only the email data leakage, but the hijacked account, which later on can be used by the attacker to execute further attacks like Business Email compromise where this user may instruct other employees to conduct fraudulent activities unintentionally.

No matter how good logical controls and cyber security solutions you have implemented, none of them can detect and protect your organization from a “trusted” hijacked employee’s account. Unless, you fully monitor and inspect а user’s activity and compare it with already established behavior template of the particular user.

Educating employees to recognize the current cyber-attack vectors together with ensuring back up through their automated machine-learning behavior anomalies detection, forming a so-called “Human Layer Security” could be a solution and indeed is the key to put you on the edge of the cyber security resilience.

iQ.Suite 360 – multilayer protection for SharePoint

With the help of iQ.Suite 360 you can secure your SharePoint environment with multi-level protection against malware using multiple scanners from well-known premium manufacturers. It guarantees the protection of the collaboration environment not only for internal users, but also for the access by external communication partners. Another highlight of the solution is the scheduled scanning of the entire SharePoint environment with the latest malware patterns outside working hours. iQ.Suite 360 by GBS (a BULPROS Company) is a compliant, multi-level malware protection solution for SharePoint.