In June, a new wave of Microsoft-themed email messages began to land in user inboxes. The messages looked authentic, prominently exhibiting the Microsoft logo and a familiar email template that required the user to update their 2FA code. There were no links or attachments — only a QR code.
Upon scanning the QR code from the user’s mobile device, the user gets taken to a Microsoft-themed web portal where they’re asked to enter their login credentials and subsequent MFA code. If the user enters their credentials, the information is sent to an attacker and their account becomes compromised. What follows are potentially any number of insidious outcomes, from pivoting internally to compromise other accounts to accessing other sensitive systems.
Why QR codes are an attractive phishing lure
QR codes have become prolific in phishing attacks and continue to fly under the radar of traditional email security solutions. And it’s for a simple reason: QR codes offer camouflage for malicious links and require a decoder to recognize and extract the destination. QR codes are appealing to attackers because we’ve become so accustomed to scanning QR codes in our daily lives. For years, we’ve trained users to hover over links in emails before clicking, but QR codes make it impossible to know the destination prior to scanning.
We’ve observed a ton of attack variants leveraging QR codes, from malware delivery to brand impersonation of Microsoft, SharePoint, and DocuSign, and even HTML-smuggled QR codes for credentials. Since most QR code scanning happens on mobile devices, this often takes the end-user off the corporate network, making it harder to detect account compromise or payload downloads and execution.
Detection and mitigation strategies
Organizations should take a defense-in-depth approach to prevent and mitigate the impact of a QR-code attack. Here are three strategies, but these are by no means all-inclusive.
- Train users: It’s become critical to educate users on the danger of QR-code attacks. While QR-code attacks have been observed in the past, they’ve only recently become so prolific, and users may not think about how QR codes are abused. User education makes the user community an added layer of defense.
- Employ hardware-based multifactor authentication (MFA): Hardware tokens such as YubiKeys are resilient to phishing frameworks like evilginx2 that can relay credentials and time-based one-time password MFA tokens. If hardware-based MFA techniques aren’t feasible, employ the strongest available.
- Focus on the perimeter: Organizations can detect and prevent QR-code attacks at the email perimeter, before users interact with them, using open-source detection rules.
How to identify email attack patterns
Message Query Language (MQL) has been developed as a domain-specific language (DSL) for describing email attack patterns. When those attack patterns are met, teams can enforce automated actions, such as quarantine to neuter campaigns. MQL rules detect attacks behaviorally using a myriad of signals, making them more resilient to attacker adaptation. For example these rules:
- Detect the presence of a QR code embedded in the body of the message or in an attachment.
- Identify a Microsoft, DocuSign, or Adobe logo using Computer Vision.
- Analyze the language used in the message using Natural Language Understanding.
- Decode the QR code and analyze the destination URL and its contents.
- Determine the sender’s risk to the organization based on prior historical communications, domain reputation, domain age, and other data.
- Impersonate “Microsoft” or other brands in the display name.
Here’s a sample rule snippet for detecting and preventing a variant of Microsoft-themed QR code attacks:
type.inbound
// identify a QR code and decode it
and any(file.explode(beta.message_screenshot()),
.scan.qr.type == "url"
// analyze the URL for credential phishing using Computer Vision and NLU
and beta.linkanalysis(.scan.qr.url).credphish.disposition == "phishing"
)
Any organization can deploy MQL rules for free. Teams can deploy rules written by their peers in the security community or even write their own. QR code rules, including for Microsoft-themed attacks, can be found on this GitHub repository. We released a deep dive into QR code phishing detection that goes into deeper detail on tactics, techniques, and procedures (TTPs), with more rule strategies.
Cybercrime has become big business. Cybercriminals will continue to evolve their email attacks so long as they can maintain a relatively high return-on- investment. Nation-states will continue to use email as an initial access vector so long as it’s effective.
An effective security strategy employs a multitude of tools and governance policies to mitigate risk at multiple levels. From detection-as-code tooling that lets organizations control their own destiny and collaborate with their peers, to MFA and user education, we can start to make email a less profitable attack vector while keeping our organizations safe.
Joshua Kamdjou, founder and CEO, Sublime Security