Important CyberSecurity Tip from UTS: Don’t get Sway-ed

Microsoft Sway is a powerful tool for creating presentations and interactive reports that are distributed via the web.  One of Sway‘s biggest advantages is its flexibility.  One can make a Sway report look like anything.  Since we’re a customer of Microsoft, and we use some of Microsoft’s online services, we tend to trust links to Microsoft products.  Attackers are taking advantage of the trust and  flexibility built into Sway to create some convincing tricks meant to steal your password.
Here’s an example of a report, created on Sway, to look like you’ve received a fax:
Sway Fax Received Sample
Here’s one that looks like you’ve received a voicemail in Teams:
Fake Microsoft Teams Site in Sway
Typically, you would receive an email with links to one of these pages, and upon clicking further you would be asked for your username and password.
Stay safe with these tips:
  • If you click a link in an email, and your address bar shows sway.microsoft.com, be on the alert.
  • Question everything.  Is that message really from your coworker?  Was I expecting a fax?  Would HR send a survey link this way?  Does that sound like the President?
  • Pay attention to detail, and pick up the phone (or use a separate messaging tool) to confirm with the sender before clicking on any links or files you did not ask for or weren’t expecting.
  • If you aren’t sure about an email you’ve received, contact UTS.

UTS does not want to discourage the use of Sway.  It can be a powerful and useful tool.  However, useful tools, like email itself can often be misused in ways that were not anticipated.  Please stay diligent, and understand the risks.