In the first quarter of 2020, Group-IB Threat Intelligence team received a lead concerning corporate email account compromise of an Asia-based company. A joint investigation of Group-IB DFIR and Threat Intelligence teams reveals an uptrending phishing technique which is essentially achieved by abusing Microsoft file sharing services, including Sway, SharePoint, and OneNote. Group-IB Threat Intelligence team names this series of phishing attacks the PerSwaysion campaign
for the extensive abuse of Sway service. The dubbed PerSwaysion campaign is a collection of small yet targeted phishing attacks run by multiple cyber-criminal groups, attacking small and medium financial services companies, law firms, and real estate groups.
Evidence suggests, since mid 2019, at least 156 high ranking officers
of given organizations are compromised. Such high-profile victims tend to locate in the US, Canada, while the rest are in global and regional financial hubs such as Germany, the UK, Netherlands, Hong Kong and Singapore and other countries.
Group-IB set up a website
, where everyone can check if their email address was compromised by PerSwaysion. Group-IB continues to work with the relevant parties in local countries to inform the affected companies of the breach.