QR Code Phishing

Leave a reply

[Update 12/12/2023 -Microsoft may be the first email security vendor to extract malicious hyperlinks from QR codes. This is a remarkable engineering feat, something I did not think they would accomplish until Q1 of next year.
here is the Microsoft article: https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/protect-your-organizations-against-qr-code-phishing-with/ba-p/4007041]

We are seeing an increased number of QR Codes used in phishing.

TL;DR, there are no technology solutions available on the market today to detect or block QR code phishing, aka “quishing.”  We recommend informing users not to use their cameras to scan QR codes unless they have verbally authenticated the sender (they know and expect the QR code for a valid business purpose).

Stu Sjouwerman, CEO of KnowBe4 wrote, “I’m not aware of any security solution that can follow a QR code-based URL to determine if the resulting URL is malicious or not” (KnowBe4 email newsletter)

The way to limit your risk if they do is to setup a conditional access policy that blocks authentication from personally owned mobile devices. Clearly, that would be a big policy shift that would require planning and communication for most organizations.

Here is an example QR code phishing email from from November 15th

SNAGHTML4971df8a

My colleague Chris Lehr created a transport rule to try to detect QR codes.
https://twitter.com/chrislehratx/status/1709288477526028346

(Disclaimer: Due to false positives, test this out on a small pilot group, and set the ETR action to pre-pend the phrase “Possible QR Code Phishing:” that would be inserted in front of whatever the message subject is to get the end-user’s attention.

Chris was also successful in having Microsoft update their documentation to reflect that they are not yet able to block malicious QR codes (yet). An earlier version of their documentation stated that MDO blocked malicious QR codes, but in our testing we confirmed it did not. https://twitter.com/chrislehratx/status/1707137624694313375

Microsoft is actively working on a fix but we do not yet have an ETA.

References:
https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/
https://www.bleepingcomputer.com/news/security/major-us-energy-org-targeted-in-qr-code-phishing-attack/
https://www.bleepingcomputer.com/news/security/fbi-warns-of-malicious-qr-codes-used-to-steal-your-money/
https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/qr-code-phishing-attacks-spread.aspx#:~:text=The%20campaign%2C%20discovered%20by%20Cofense,to%20steal%20their%20Microsoft%20credentials.
https://intelligence.abnormalsecurity.com/blog/qr-code-campaign-bypass-security
https://www.malwarebytes.com/blog/news/2023/08/qr-codes-deployed-in-targeted-phishing-campaigns
https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/five-common-qr-code-scams

Leave a comment