A large phishing campaign using QR codes has been detected targeting various industries, with the aim to acquire Microsoft credentials. Researchers from the security firm, Cofense, observed the attacks against “a major Energy company based in the US.” The reported phishing campaign also targeted organizations in other industries, including finance, insurance, manufacturing, and tech. One targeting technique observed during the campaign was allowing emails containing a malicious QR code, using obfuscation tactics, coupled with hiding the URLs inside QR codes embedded into a PNG or PDF attachment to abuse trusted domains. Most of the phishing emails observed during the campaign, contained PNG image attachments delivering Microsoft credential phishing links or phishing redirects via an embedded QR code using the lure of updating account security surrounding general account security as well as 2FA and MFA.
Embedding the QR code also helps ensure the malicious emails bypass email security protections and makes it into potential victim inboxes. This is because it’s more difficult for spam filters to assess QR images included in an attachment. The fact that threat actors can hide malicious links inside QR codes or hide the codes within images, allows the malicious document to bypass email scanning solutions. This makes the QR code tactic practical in phishing campaigns. However, victims will still need to scan the malicious QR code with a QR code scanner on their mobile device, which provides victims the potential opportunity to observe and validate the URL before proceeding to open it. Most modern QR code scanners will show the URL attached to the QR code within the application prior to opening the page.
While QR codes do have legitimate reasons to be used, gaining popularity during the 2020 pandemic, malicious actors also have reasons to use them as well. With automation such as QR scanners and image recognition can be the first line of defense, it is not always guaranteed the QR code phishing activity will be picked up by technical solutions. Therefore, it is recommended that employees are instructed and trained not to scan QR codes in emails they receive as well as scanning QR codes in public without context of the QR code’s origin. Having employees and individuals, with access to business networks, remain vigilant and informed around this tactic will help mitigate the risk of exploit targeting accounts, networks, and businesses security architecture.