156 High Ranking Employees Caught in Whaling Phishing Scam

Attacks against high ranking employees of organizations, also known as whaling phishing, remains a persistent threat in 2020. Typically, senior-level employees have greater decision-making privileges and can take action without seeking permission. This makes higher-ups a potentially lucrative target for cybercriminals who can successfully execute the spear-phishing attack.  Cybersecurity firm Group-IB has identified at least 156 high ranking employees at organizations around the world that have been compromised in the last year.

These phishing attacks abuse Microsoft file-sharing services such as Sharepoint, Sway, and OneNote. The technique has been dubbed the PerSwaysion campaign by Group-IB’s threat intelligence team. To help combat that this wave of attack, Group-IB has set up a website where concerned parties can check if their email has been promised in a PerSwaysion attack.

A PerSwaysion attack has three phases:

1. The high ranking victim receives an email with a malicious PDF.
2. The Victim moves through to Microsoft file-sharing services.
3. The victim eventually lands on the final phishing site.

It appears that scammers have largely moved on from using SharePoint and OneNote, with Sway being more common today. However, scammers may utilize different Microsoft file-sharing services for different reasons, so you shouldn’t assume you are safe from this scam if it involves OneNote or SharePoint.

The malware kit is thought to be developed by Vietnamese developers, but the kit can be used by independent scammers.

Stay vigilant out there! Remember, cybersecurity training is for everyone, no matter their position in the company.