Group-IB uncovers sophisticated phishing campaign that targets executives worldwide | The Business Standard
Skip to main content
  • Epaper
  • Economy
    • Aviation
    • Banking
    • Bazaar
    • Budget
    • Industry
    • NBR
    • RMG
    • Corporates
  • Stocks
  • Analysis
  • Videos
    • TBS Today
    • TBS Stories
    • TBS World
    • News of the day
    • TBS Programs
    • Podcast
    • Editor's Pick
  • World+Biz
  • Features
    • Panorama
    • The Big Picture
    • Pursuit
    • Habitat
    • Thoughts
    • Splash
    • Mode
    • Tech
    • Explorer
    • Brands
    • In Focus
    • Book Review
    • Earth
    • Food
    • Luxury
    • Wheels
  • Subscribe
    • Epaper
    • GOVT. Ad
  • More
    • Sports
    • TBS Graduates
    • Bangladesh
    • Supplement
    • Infograph
    • Archive
    • Gallery
    • Long Read
    • Interviews
    • Offbeat
    • Magazine
    • Climate Change
    • Health
    • Cartoons
  • বাংলা
The Business Standard

Thursday
May 29, 2025

Sign In
Subscribe
  • Epaper
  • Economy
    • Aviation
    • Banking
    • Bazaar
    • Budget
    • Industry
    • NBR
    • RMG
    • Corporates
  • Stocks
  • Analysis
  • Videos
    • TBS Today
    • TBS Stories
    • TBS World
    • News of the day
    • TBS Programs
    • Podcast
    • Editor's Pick
  • World+Biz
  • Features
    • Panorama
    • The Big Picture
    • Pursuit
    • Habitat
    • Thoughts
    • Splash
    • Mode
    • Tech
    • Explorer
    • Brands
    • In Focus
    • Book Review
    • Earth
    • Food
    • Luxury
    • Wheels
  • Subscribe
    • Epaper
    • GOVT. Ad
  • More
    • Sports
    • TBS Graduates
    • Bangladesh
    • Supplement
    • Infograph
    • Archive
    • Gallery
    • Long Read
    • Interviews
    • Offbeat
    • Magazine
    • Climate Change
    • Health
    • Cartoons
  • বাংলা
THURSDAY, MAY 29, 2025
Group-IB uncovers sophisticated phishing campaign that targets executives worldwide

Tech

TBS Report
01 May, 2020, 09:20 pm
Last modified: 01 May, 2020, 09:23 pm

Related News

  • Walton to expand footprint in Singapore
  • Taiyeb warns of massive cyber attack ahead of polls
  • Singapore votes in test of ruling party's monopoly
  • Iran repelled large cyber attack on Sunday
  • Singapore orders foreigners' Facebook posts taken down under new election rules

Group-IB uncovers sophisticated phishing campaign that targets executives worldwide

Сybercriminals behind the PerSwaysion campaign gained access to many confidential corporate MS Office365 emails of mainly financial service companies, law firms, and real estate groups

TBS Report
01 May, 2020, 09:20 pm
Last modified: 01 May, 2020, 09:23 pm

Representational image. Photo: Kacper Pempel via Reuters
Representational image. Photo: Kacper Pempel via Reuters

Singapore-based cybersecurity company Group-IB has identified a series of sophisticated successful phishing attacks against the management and executives of more than 150 companies around the world. 

The campaign, dubbed PerSwaysion due to the extensive abuse of Microsoft Sway, has been active since at least mid-2019 and was attributed to Vietnamese speaking developers and Nigerian operators. 

Microsoft Sway is a presentation program and is part of the Microsoft Office family of products.

The Business Standard Google News Keep updated, follow The Business Standard's Google news channel

Сybercriminals behind the PerSwaysion campaign gained access to many confidential corporate MS Office365 emails of mainly financial service companies, law firms, and real estate groups. 

The PerSwaysion campaign proliferates with alarming rates by leveraging compromised accounts' email data to select further targets who hold important roles in their companies and share business relations with the victims. 

Group-IB in continuing to work with the relevant parties in local countries to inform the affected companies of the breach. 

Not brute force but only PerSwaysion

PerSwaysion is a highly-targeted phishing campaign. One of the defining signatures of PerSwaysion is that it spreads like wildfire jumping from one victim to another while no malware is present on a user device during the attack. New round of phishing attempts leveraging current victim's account usually takes less than 24 hours. 

The campaign resulted in a compromise of 156 high-ranking officers in global and regional financial hubs such as the US, Canada, Germany, the UK, Netherlands, Hong Kong, Singapore, and other locations. 

The PerSwaysion campaign primarily focuses on financial services companies (more than 50%), law firms, and real estate companies to conduct a further supply-chain attack against their clients and business contacts. 

Group-IB has already set up a website where everyone can check if their email was compromised by PerSwaysion.

Group-IB's Digital Forensics and Incident Response (DFIR) team were brought in to examine an incident in an Asia-based company which allowed to establish that PerSwaysion is a sophisticated 3-phase phishing operation that uses special tactics and techniques to avoid detection. 

The threat actors leverage perfectly orchestrated social engineering technique by "persuading" people holding significant corporate positions to open a non-malicious PDF email attachment coming from an authentic address in their contacts.  

The PDF attachment is a well-crafted notification of Office 365 file sharing to the victim mimicking legitimate format. Upon clicking "Read Now", the victim, which in most cases is a high-ranking officer, is taken to a file hosted on MS Sway. 

The attackers pick legitimate cloud-based content sharing services, such as Microsoft Sway, Microsoft SharePoint, and OneNote to avoid traffic detection. 

The page resembles an authentic Microsoft Office 365 file-sharing page. However, this is a specially crafted presentation page that abuses Sway default borderless view. 

From this page, the targeted individual is redirected to the final destination, the actual phishing site disguised as a 2017 version of the Microsoft Single Sign-On page. 

Here, the victim is assigned a unique serial number by the phishing kit, which serves as a rudimentary fingerprinting technique. Any repeated request to the exact same URL will be rejected. It stops any automated threat detection efforts to URLs visited by the targets. 

When the high-level employee submits corporate Office 365 credentials, the information is sent to a separate data server with an extra email address that is hidden on the page. This extra email is used as a real-time notification method to make sure attackers react on freshly harvested credentials. 

Gone in 24 Hours

PerSwaysion threat actors conduct follow-up operations with newly collected account credentials of high-ranking officers very fast. 

Group-IB researchers revealed that the attackers take 3 main steps to push a new round of phishing against users whom the victims had recent correspondence with, which on average takes less than 24 hours. 

After the credentials are sent to their CnCs, the PerSwaysion operators log into the compromised email accounts. They dump email data via API and establish the owner's high-level business connections. 

Finally, they generate new phishing PDF files with the current victim's full name, email address, company legal name. These PDF files are sent to a selection of new people who tend to be outside of the victim's organization and hold significant positions. 

The PerSwaysion operators typically delete impersonating emails from the outbox to avoid suspicion. The detailed technical analysis of PerSwaysion operations and attack scheme is available in Group-IB's blog post.

"PerSwaysion threat actors have not demonstrated clear preferences of financial profit-generating models yet," Feixiang He, senior Threat Intelligence analyst at Group-IB said. 

"The attackers hold covert access to many corporate email accounts and large piles of sensitive business email data of high-level management. Hence, it opens up a wide range of possibilities," he added. 

Feixiang further said that the account access could be sold in bulk to other cybercriminals to conduct traditional monetary scams. Sensitive business data extracted from emails, such as non-public financial records, secret trading strategies, and client lists, could be sold to the highest bidder in the underground markets.

Who are "The PerSwayders"? 

PerSwaysion campaign is a series of Malware-as-a-Service-based operations. The analysis of the campaign's phishing kit revealed that the highly specialized Vietnamese-speaking threat actors primarily developed it. 

The user input validation module (VeeValidate) used in code only includes Vietnamese locale, while 48 languages are supported. 

Further research determined that the developer groups do not run phishing campaigns themselves. Instead, the developers likely sold their phishing kit and PDF generator to various cybercriminals for direct profit. 

Group-IB Threat Intelligence has tracked down several loosely connected sub-groups of threat actors carrying out phishing attacks independently. They control the total of 27 email addresses used for stolen email account credentials collection and notifications. 

The emails were embedded in variants of PerSwaysion phishing kits. Some of these emails were used to register LinkedIn accounts for gathering potential victim profiles. Such data helps PerSwaysion attackers to pick people holding significant corporate positions.

Further investigations show one of the PerSwaysion's earliest operation teams are a group of threat actors who operate in Nigeria and South Africa. 

The group is allegedly led by a Nigerian who goes by the nickname Sam. This group has been conducting various activities ranging from online shopping scams to phishing attacks since 2017. 

The vast differences in geo-locations and cultures between phishing kit developers and campaign operators indicate great specialization among cybercriminals.

"PerSwaysion campaign is a living example of highly specialized phishing threat actors working together to conduct effective attacks on high ranking officers in large scale," according to Feixiang He. 

"They adopt multiple tactics and techniques to avoid traffic detection and automated threat intelligence gatherings, such as the use of file-sharing services and web application hosting from reputable vendors," he added. 

"The campaign pursues non-trivial counterintelligence methods, for example, randomizing malicious JS file names and fingerprinting victim browsers and rejecting repeated visits," he further said. 

Feixiang He thinks that such measures taken by cybercriminals seeking to garner sensitive corporate information require a non-standard approach to their detection and response.

Cloud-based corporate services, such as MS Sway, introduce new challenges to traditional cyber risk management frameworks. Proper cloud migration plan should consider changes in early prevention, anomaly detection, and incident response. 

When adopting cloud-based corporate services, it is crucial to enforce 2FA authentication to mitigate risks of login credential theft. 

Furthermore, when planning cloud-based service architectures, corporate system administrators need to evaluate various logging options offered by could service providers and integrate activity log data into existing risk detection flows.

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations.

Top News / World+Biz

Phishing / Group-IB / Singapore / Microsoft Sway / PerSwaysion / Cyber attack

Comments

While most comments will be posted if they are on-topic and not abusive, moderation decisions are subjective. Published comments are readers’ own views and The Business Standard does not endorse any of the readers’ comments.

Top Stories

  • How termination of USDA-funded trade facilitation project will affect Bangladesh
    How termination of USDA-funded trade facilitation project will affect Bangladesh
  • File photo of Bangladesh Secretariat. Photo: Collected
    Visitors banned from entering Secretariat on Mondays and Thursdays
  • File photo of BNP Secretary General Mirza Fakhrul Islam Alamgir. Photo: Collected
    Asked for roadmap, govt didn’t give in 10 months, now 'December it is': Mirza Fakhrul

MOST VIEWED

  • Google Pay. Photo: Collected
    Google Pay likely coming to Bangladesh soon
  • IFIC Bank receives Tk6,000 cr in new deposits in six months
    IFIC Bank receives Tk6,000 cr in new deposits in six months
  • Dhaka areas at a gridlock on Wednesday, 28 May 2025. Photo: Syed Zakir Hossain/TBS
    BNP, Jamaat rallies: Traffic clogs Dhaka roads, including Motijheel, Paltan, Dainik Bangla intersection
  • Abdul Awal Mintoo, chairman of National Bank Limited. Sketch: TBS
    'Regulatory support must for National Bank to restore depositors' confidence'
  • Mohammad Abdul Mannan, chairman FSIB Ltd. Sketch: TBS
    FSIB to bounce back soon
  • Mohammad Mamdudur Rashid, managing director and CEO, UCB. Sketch: TBS
    Customers’ trust and confidence fueling deposit growth at UCB

Related News

  • Walton to expand footprint in Singapore
  • Taiyeb warns of massive cyber attack ahead of polls
  • Singapore votes in test of ruling party's monopoly
  • Iran repelled large cyber attack on Sunday
  • Singapore orders foreigners' Facebook posts taken down under new election rules

Features

In recent years, the Gor-e-Shaheed Eidgah has emerged as a strong contender for the crown of the biggest Eid congregation in the country, having hosted 600,000 worshippers in 2017. Photo: TBS

Gor-e-Shaheed Boro Maath: The heart of Dinajpur

2d | Panorama
The Hili Land Port, officially opened in 1997 but with trade roots stretching back to before Partition, has grown into a cornerstone of bilateral commerce.

Dhaka-Delhi tensions ripple across Hili’s markets and livelihoods

3d | Panorama
Photo: Collected

Desk goals: Affordable ways to elevate your study setup

3d | Brands
Built on a diamond-type frame, the Hornet 2.0 is agile but grounded. PHOTO: Asif Chowdhury

Honda Hornet 2.0: Same spirit, upgraded sting

3d | Wheels

More Videos from TBS

The fight between two brothers; Adidas vs Puma

The fight between two brothers; Adidas vs Puma

6h | Others
Trump is again keen to make Canada the 51st state

Trump is again keen to make Canada the 51st state

7h | Others
Trump's tariff strategy and Europe's investment politics, violence or negotiation?

Trump's tariff strategy and Europe's investment politics, violence or negotiation?

9h | Others
Rumours surrounding the Club World Cup: Which club will Ronaldo join?

Rumours surrounding the Club World Cup: Which club will Ronaldo join?

9h | Others
EMAIL US
contact@tbsnews.net
FOLLOW US
WHATSAPP
+880 1847416158
The Business Standard
  • About Us
  • Contact us
  • Sitemap
  • Advertisement
  • Privacy Policy
  • Comment Policy
Copyright © 2025
The Business Standard All rights reserved
Technical Partner: RSI Lab

Contact Us

The Business Standard

Main Office -4/A, Eskaton Garden, Dhaka- 1000

Phone: +8801847 416158 - 59

Send Opinion articles to - oped.tbs@gmail.com

For advertisement- sales@tbsnews.net