Connect with us

Hi, what are you looking for?



Sophisticated Phishing Kit Used by Multiple Groups to Target Executives

A sophisticated phishing kit has been used by multiple cybercrime groups to target high-ranking employees in North America and other parts of the world, and researchers believe there are at least 150 victims.

A sophisticated phishing kit has been used by multiple cybercrime groups to target high-ranking employees in North America and other parts of the world, and researchers believe there are at least 150 victims.

The campaign has been analyzed by cybersecurity company Group-IB, which tracks the operation as PerSwaysion due to its abuse of the Microsoft Sway presentation application. Some of the PerSwaysion attacks were previously detailed by Avanan, a company that provides security solutions for email and collaboration tools.

According to Group-IB, the PerSwaysion campaign has been active since at least mid-2019, and the first peak was observed in September. Attacks ramped up again in late December 2019.

Data collected by Group-IB shows that the attackers compromised the accounts of at least 156 executives and other high-ranking employees, mainly in the United States, where 81 victims have been identified. Victims have been identified in countries around the world, including in the UK, Canada and the Netherlands.

PerSwaysion victims

The most targeted sector was financial services, with over half of the victims working in this industry. The cybercriminals also targeted individuals in the real estate, legal, consulting, manufacturing, energy, retail, IT and other sectors.

Attacks start with a phishing email being sent to the targeted user. The email contains a harmless PDF document informing victims that a file has been shared with them on a Microsoft Office 365 service such as Sway, SharePoint or OneNote. When users click on the “Read Now” link in the PDF document, they are taken to a page hosted on Sway, SharePoint or OneNote, where they are once again shown a “Read Now” link. This link points to a phishing website designed to harvest the victim’s Office 365 credentials.

The emails and PDF documents used in the PerSwaysion campaign have been created with a phishing kit and an associated PDF generator that Group-IB believes was developed by someone in Vietnam. The phishing kit is offered based on a malware-as-a-service model and its creators do not appear to be using it themselves. Instead, they have sold it to other cybercriminals, who have been using it to obtain credentials that they can sell to others or which they can use themselves to steal valuable information from the targeted organizations.

Advertisement. Scroll to continue reading.

“At the current stage, PerSwaysion scammers do not have clear preferences of financial profit generating models,” Group-IB said in a blog post. “The scammers hold covert access to many corporate email accounts and large piles of sensitive business email data. The situation opens up a wide range of possibilities. The account access could be sold in bulk to other financial scammers to conduct traditional monetary scams. Sensitive business data extracted from emails, such as non public financial records, secret trading strategies, and client lists, could be sold to the highest bidder in the underground markets.”

The phishing kit includes a feature that sends an email to the cybercriminals as soon as someone enters their credentials on a phishing site. This allows the hackers to quickly access compromised accounts and send out phishing emails to the victim’s contacts, mainly high-ranking people at other organizations. These activities are typically conducted within 24 hours.

One of the groups using the phishing kit has members in Nigeria and South Africa. This gang has been conducting phishing attacks since at least 2017.

Group-IB has set up a page where users can check if their email address is among the ones targeted in the PerSwaysion campaign.

Related: Phishing Attacks: Best Practices for Not Taking the Bait

Related: Russian Cyberspies Hacked High-Profile Email Accounts for Phishing

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...