A phishing kit that has been used in thousands of attacks worldwide has been active for significantly longer than previously thought — and it continues to pose a potent threat to organizations across multiple sectors, new analysis shows.

The kit, named PerSwaysion, is designed to give cybercriminals a way to launch a phishing campaign relatively easily and with little up-front effort. The most notable aspect about the threat is its use of Microsoft file-sharing services, such as Sway, SharePoint, and OneNote, to lure users to credential-stealing sites. 

David Pearson, co-founder and CEO of newly launched SeclarityIO, says his company's analysis of data on PerSwaysion shows the campaign, in fact, launched as far back as at least October 2017 and is currently active despite public disclosure of the group's phishing kit and TTPs. 

An analysis of data from URLscan showed that over the last 18 months alone, some 7,403 people from across 14 industry sectors landed on 444 unique PerSwaysion phishing portals at some point. Victims came from organizations within the US government, financial services, pharmaceutical, healthcare, aerospace, engineering, technology, and other sectors. Pearson estimates the number of organizations impacted by the campaign since May 2020 to be, at least, in the high hundreds.

"Realistically, this has gone on for so long it is likely that just about [every sector] is impacted," Pearson says. "This is a phishing kit that has customers all over the world, and [attackers] are targeting whoever they want."

Security vendor Group-IB gave the campaign its name last year after observing how extensively it abused the Sway service as part of the attack chain. In an April 2020 report, Group-IB described PerSwaysion as a collection of small but targeted phishing attacks executed by multiple criminal groups mainly against small and midsize financial services companies, real estate groups and law firms. 

The security vendor had assessed the PerSwaysion campaign had been ongoing since 2019 and had successfully compromised email accounts belonging to at least 156 high-ranking officials at multiple organizations located mainly in the US and Canada, and to a lesser number in global financial hubs in Germany, the UK, the Netherlands, and Hong Kong.

Previous reporting on PerSwaysion by Group-IB and others had described attackers as deploying a three-phase operation to lure users to credential-grabbing phishing sites. According to Group-IB, the first phase involves potential victims receiving a well-crafted spear-phishing email with a non-malicious PDF attachment purporting to be a Microsoft file-sharing notification. 

Users who click on the "Read Now" hyperlink in the notification are directed to a file hosted on Microsoft Sway or — less often — another Microsoft file-sharing service. The page is designed to look exactly like an authentic Microsoft file-sharing site except when users click on the Read Now link, they are directed to a credential-harvesting site designed to look like an account sign-on page.

Drag-and-Drop Op

Pearson says his analysis of PerSwaysion shows the kit essentially makes deploying a phishing portal a drag-and-drop operation for attackers. The kit contains templates for spoofing account login pages belonging to eight trusted brands, including Microsoft, Google, Facebook, Twitter, and — as an indication of just how long the kit has been around — some older brands like Hotmail and AOL.

The kit's attack infrastructure itself consists of a front-end phishing portal that victims land on when they click through the URL links, a template hosting site, a redirector site that ensures the appropriate template is served up to the victim, and the credential collection site itself.

Fresh Insight
Pearson says SeclarityIO was also able to uncover fresh insight into the attack vectors that different threat actors used to initially deliver the PerSwaysion kit to potential victims thanks to its network interpreter technology.

The platform allows organizations to upload any kind of traffic flow format to understand, for example, who might have communicated with whom on the network, how many packets were sent and received, and other metrics.

"We don't look at any payload information," Pearson says. "We just look at the flow of information, and we have 30 or so categories that we group traffic into."

SeclarityIO categorizes communication to any port on any site, he adds, to help organizations identify malicious activity, like command-and-control (C2) traffic. The technology works with an organization's network flows and helps security analysts visualize what vectors an attacker might have used to evade defenses, how a user might have interacted with the site, and whether that interaction requires remediation, Pearson notes.

SeclarityIO's platform helped show that in some PerSwaysion attacks, threat actors used URL shorteners, such as bit.ly and tiny.cc, to try and bypass email filters and to make malicious URLs appear more legitimate. In other instances, attackers used email platforms such as sendgrid.net to deliver their phishing lures straight to user email inboxes. Other tactics included luring users to legitimate but compromised websites, redirects through online ads, and open redirects to reroute users to a different site from which they intended to go.

Pearson says SeclarityIO has been unable to determine how the PerSwaysion kit is marketed. They have also been unable to dig up any more information on who might have developed the kit beyond what Group-IB already revealed last year: that the operators likely are Vietnamese-speaking.