Cyber Security Threat Summary:
A phishing campaign was observed predominantly targeting a notable energy company in the US, employing QR codes to slip malicious emails into inboxes and bypass security. Roughly one-third (29%) of the 1,000 emails attributed to this campaign targeted a large US energy company, while the remaining attempts were made against firms in manufacturing (15%), insurance (9%), technology (7%), and financial services (6%). According to Cofense, who spotted this campaign, this is the first time that QR codes have been used at this scale, indicating that more phishing actors may be testing their effectiveness as an attack vector. Cofense did not name the energy company targeted in this campaign but categorized them as a "major" US-based company.

In the attacks observed by Cofense, the injection chain started off with a phishing email requesting recipients to update and enable 2FA authentication on their Microsoft 365 accounts. Attached to the emails are either a PNG or PDF file featuring a QR code which the recipient is prompted to scan to verify their account. To create a sense of urgency, the emails also state that this step should be completed within 2-3 days. Once the recipient scans the QR codes will redirect the victim to a Microsoft 365 phishing page, which can be further used to gather credentials.

Security Officer Comments:
With email security defenses improving over the years, the FBI warned in 2022 that cybercriminals are increasingly using QR codes to steal credentials and financial information. The use of QR codes is a tactic employed by actors to bypass email security filters which typically scan messages for malicious links.

“To evade security, the QR codes in this campaign also use redirects in Bing, Salesforce, and Cloudflare’s Web3 services to redirect the targets to a Microsoft 365 phishing page. Hiding the redirection URL in the QR code, abusing legitimate services, and using base64 encoding for the phishing link all help evade detection and get through email protection filters” (Bleeping Computer, 2023).

Although QR codes haven’t been observed in mass phishing campaigns till now, threat actors have relied on them in the past to launch attacks, on a smaller scale, which targeted French Cofense customers as well as German e-banking users.

Suggested Correction(s):
Upon scanning a URL, it’s important to check the URL to ensure that it is authentic and the intended site. Most QR code scanners will ask users to verify the destination URL before launching it on the browser. Generally, a misplaced letter or typos in the domain can be an indicator that the URL is malicious.

Link(s):
https://www.bleepingcomputer.com/