Protecting against QR Code Phishing (Quishing)

Introduction

As part of our SOC team, we’ve witnessed a significant surge in QR Code Phishing incidents over the past year. In this article, we’ll delve into the fundamentals of QR code phishing and provide actionable steps to safeguard against this growing threat. Notably, both offensive and defensive capabilities have evolved, including powerful tools like Evilginx (read my blogpost here) and Microsoft’s defensive solutions.

So back to the basics…

How does QR Code Phishing work?

QR Codes present a unique challenge for security providers as they appear as an image during mail flow and are unreadable until rendered. Once the QR Code is rendered (what the human eye sees) it can then be scanned/processed for further analysis.

QR codes are used in phishing attacks for mainly two reasons:

1. They move the attack away from well-protected corporate environments and onto the victim’s personally owned mobile device, which may be less secure;
2. They leverage the most common credential theft vector which is the uniform resource locator (URL). A QR code can be easily manipulated to redirect unsuspecting victims to malicious websites or to download malware in exactly the same way as URLs, only by putting the URL in a more difficult-to-detect location.

Steps in the process:

• Delivery: Attackers distribute QR codes via emails, social media, or physical means.
• Scanning: Unsuspecting users scan the QR codes, assuming they are legitimate.
• Redirection: The QR codes redirect users to malicious sites or prompt them to download malware.
• Data Theft: The goal is to steal sensitive information.

A few examples below (source: Microsoft)

_{QR Codes are embedded as inline images within email body
In the example below, the QR code is embedded inline within the body of the email, which when scanned redirects the user to a phishing website attempting to gather their credentials.}

_{QR Code within an image in the email body
In the example below, the QR code is placed inside an image embedded inline within the body of the email.}  

_{QR Code as an image in an attachment
In the example below, the QR code is embedded inside an attachment that is a PDF, which when scanned redirects the user to a phishing website attempting to gather their credentials.}

Various patterns of QR Code Phishing messages

Within QR Code Phishing, multiple layers of tactics, techniques and procedures (TTPs) reveal various patterns seen by Microsoft. This includes but is not limited to:

1. URL redirection
2. Minimal to no text (reducing signals for ML detection)
3. Abuse of known brands
4. Abuse of sending infrastructure known for sending legitimate emails
5. A variety of social lures including 2 factor auth, document signing, and more
6. Embedding QR codes in attachments

How can Microsoft protect me from QR Code Phishing?

Microsoft offers a wide array of options to (technically) protect yourself against QR Code Phishing. Ensure that you have at Defender for Office 365 P1/P2 licenses and Defender for Endpoint to make the most of the available features:

1. Microsoft Defender for Office 365 uses advanced technologies to detect and block QR code phishing attacks.
2. Microsoft Defender for Endpoint on Android and iOS includes anti-phishing capabilities that apply to QR code phishing attacks, blocking phishing sites from being accessed.
3. Microsoft Defender for Endpoint also provides protection against malware that may be downloaded or installed through the URL link.

Microsoft Defender for Office 365 has recently also introduced several (new) capabilities to protect organizations against QR code phishing:

1. Advanced Image Extraction Technologies: Defender for Office 365 uses advanced image extraction technologies to detect QR codes in emails1. These technologies allow the system to extract URL metadata from a QR code and use this information for existing threat protection and filtering capabilities.
2. Machine Learning Models: URLs extracted from QR codes are analyzed using machine learning models. These models check the reputation of the URLs and assess their potential threat level.
3. Heuristics-Based Rules: Microsoft has developed heuristics-based rules that can quickly identify and block QR code phishing attempts. These rules were released within minutes, leading to approximately 1.5 million QR code phishing attempts blocked in email bodies per day.
4. Combining Signals: Defender for Office 365 combines various signals, including QR code data, sender intelligence, message headers, content filtering, and recipient details, to identify malicious messages.

https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/protect-your-organizations-against-qr-code-phishing-with/ba-p/4007041

But wait? Is this all I can do?

When it comes to QR Code Phishing, there’s more to consider (this is important, perhaps even more…). Let’s break this down into two parts:

User Awareness:

• All forms of phishing start with awareness.
• Train your users to recognize QR Code Phishing attempts (also see Microsoft Attack Simulation).
• Help them understand when they encounter QR Code Phishing.
  

XDR:

• QR Code Phishing aims to gain unauthorized access to an environment.
• Often, this involves Account Takeover (AiTM).¹²
• Leveraging an Extended Detection and Response (XDR) solution allows you to detect, respond and disrupt effectively.
• Microsoft’s offerings, such as Identity Protection, Conditional Access, and Phishing Resistant MFA, play a crucial role in defending against these threats.

1. For active hunting into QR Code Phishing Microsoft did a pretty good job on all the query’s and indicators you can use to get more understanding of what is going on in your own environment here: Hunting for QR Code AiTM ↩︎
2. Als see this new message from the 1st of april, which enriched possibilities to use identifiers to investigate, monitor alert or trigger automated investigations, hunt and remediate QR code based attacks more effectively and efficiently. ↩︎