Targeted Phishing Attacks Successfully Hacked Top Executives At 150+ Companies

Nowadays, we are facing a new type of targeted phishing cyberattack called PerSwaysion. Like most of the regular phishing attacks, it aims to steal Microsoft Office 365 credentials. Fraudulent emails are sent to lure victims with a non-malicious PDF attachment containing ‘read now’ link  that leads to file hosted on Microsoft Sway, SharePoint or OneNote. Those legitimate cloud-based content sharing services are intentionally chosen to avoid traffic detection by the IDS and other security systems. The attack mainly targets top level management representatives and by now more than 150 companies’ executives were hacked.

On the next step a specially crafted landing page on Microsoft Sway/SharePoint service is introduced to the victim. It further contains another ‘read now’ link that redirects to the actual phishing site. It encourages the user to enter their email account credentials or other confidential information.

Once stolen, attackers immediately move on to the next stage and download victims’ email data from the server using IMAP APIs. Тhen, they impersonate the identities to further target people who have recent email communications with the current victim and hold important roles in the same or other companies.

Here is a graphical representation of the attack scenario.

The core of the approach is the users who are bypassing all the security controls, implemented in the business communication infrastructure and easily become victims. The biggest problem is not only the email data leakage, but the hijacked account, which later on can be used by the attacker to execute further attacks like Business Email compromise where this user may instruct other employees to conduct fraudulent activities unintentionally.

No matter how good logical controls and cyber security solutions you have implemented, none of them can detect and protect your organization from a “trusted” hijacked employee’s account… Unless, you fully monitor and inspect а user’s activity and compare it with already established behavior template of the particular user.

Educating employees to recognize the current cyber-attack vectors together with ensuring back up through their automated machine-learning behavior anomalies detection, forming a so-called “Human Layer Security” ( could be a solution and indeed is the key to put you on the edge of the cyber security resilience.

Should you wish to furthermore straighten the security of your SharePoint spaces by real-time malware inspection, the GBS – a BULPROS company, has recently launched its IQ.Suite360 – a multi-level malware protection solution for SharePoint (

About the author

Lyubomir Tulev

Senior Cyber Security Architect & Business Information Security Consultant

Lyubomir Tulev (CCISO, ECSA, CEH, CHFI, CEI) is Senior Cyber Security Architect & Business Information Security Consultant at BULPROS. He manages the cyber security operations and solutions, provided from the MSSP services portfolio of BULPROS to its clients; consults and implements cyber security controls by ensuring proper equipment and software deployment and calibration. He is highly qualified cyber security professional with over 10 years of experience in Bulgarian law enforcement and business.