These phishing emails use QR codes to bypass defences and steal Microsoft 365 usernames and passwords

QR codes have less chance of being picked up by cybersecurity defences than links or attachments -- and cyber criminals are trying to exploit them.
Written by Danny Palmer, Senior Writer

Cyber criminals are sending out phishing emails containing QR codes in a campaign designed to harvest login credentials for Microsoft 365 cloud applications.

Usernames and passwords for enterprise cloud services like Microsoft 365 are a prime target for cyber criminals, who can exploit them to launch malware or ransomware attacks, or sell stolen login credentials onto other hackers to use for their own campaigns. 

Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials.

SEE: Cybersecurity: Let's get tactical (ZDNet special feature) 

One recent campaign detailed by cybersecurity researchers at Abnormal Security sent hundreds of phishing emails that attempted to use QR codes designed to bypass email protections and steal login information. This is known as a "quishing" attack.

QR codes can be useful in attempts at malicious activity because standard email security protections like URL scanners won't pick up any indication of a suspicious link or attachment in the message. 

The campaign is run from previously compromised email accounts, allowing the attackers to send emails from accounts used by real people at real companies to add an aura of legitimacy to the emails, which could encourage victims to trust them. It's not certain how the attackers initially gain control of the accounts they're using to distribute the phishing emails.

The phishing emails claim to contain a voicemail message from the owner of the email account they're being sent from and the potential victim is asked to scan a QR code in order to listen to the recording. All of the QR codes analysed were created the same day that they were sent.  

A previous version of the campaign attempted to trick users into clicking on a malicious URL by hiding it behind an audio file. However, this was detected and identified as malicious by antivirus software, leading the attackers to switch to using QR codes. 

While using the QR codes method can more easily bypass email protections, the victim needs to follow many more steps before they reach the point where they could mistakenly give their login credentials to cyber criminals. For a start, the user needs to scan the QR code in the first place -- and if they're opening the email on a mobile, they'll struggle to do this without a second phone.

SEE: Ransomware: Industrial services top the hit list - but cyber criminals are diversifying

However, if the victim doesn't suspect suspicious activity and follows the instructions, they could mistakenly give their username and password to cyber criminals. 

"The use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs," said Rachelle Chouinard, threat intelligence analyst at Abnormal Security.

"It's only by understanding that the account is compromised -- combined with an understanding of the intent of the email -- that this new (and fairly innovative) attack type can be detected," she added. 

In order to stay safe from quishing emails, users should be extremely wary of scanning QR codes presented in unexpected messages, even if they look like they come from known contacts. Applying multi-factor authentication to Microsoft 365 accounts can also help protect login details from being stolen. 


Editorial standards