In January 2020, Group-IB researchers had come across an interesting phishing campaign that was successfully used to compromise the email accounts of at least 156 high-ranking officials.  Described as PerSwaysion, the campaign had been ongoing since 2019, only to be discovered by researchers in 2020. 

At the time of its discovery, the campaign had spread across financial hubs in Germany, the U.K, the Netherlands, and Hong Kong. However, a new report furnished by SeclarityIO, revealed that the PerSwaysion campaign was launched as far back as at least October 2017 and is currently active worldwide.

Uncovering PerSwaysion’s latest activity

An analysis of data from URLscan unfolded multiple new findings associated with the campaign.
  • Researchers found that over the past 18 months, some 444 unique phishing portals were used to target 7,403 people from across 14 industry sectors as part of the campaign.
  • There were victims from organizations working in the U.S. government, financial services, pharmaceutical, healthcare, aerospace, and engineering technology sectors.

Worth noting

  • The crucial aspect of the campaign is the use of a kit named PerSwaysion that helps cybercriminals launch attacks relatively easily.
  • It abuses Microsoft’s file-sharing services such as Sway, SharePoint, and OneNote to lure users to credential-stealing sites.

Other fresh insights

  • While Group-IB researchers highlighted that the kit contains spoofing templates for eight known brands to trick users, SeclarityIO researchers made two additional notes that were recently employed by the phishing kit.
  • These are related to the anti-analysis techniques. The first technique involves using JavaScript to pack the malicious code and the second uses a setup to block analysis by Chrome’s Developer Tools.
  • In some PerSwaysion attacks, threat actors also used URL shorteners such as and to bypass email filters.
  • Other tactics included redirecting users to legitimate but compromised websites through online ads and other fake websites.


Researchers at SeclarityIO are still trying to find out specific indicators that determine how the PerSwaysion kit is marketed. Meanwhile, the massive number of newly found phishing sites is something to be worried about as the campaign continues to spread its tentacles to ensnare more organizations.

Cyware Publisher