The Rise of QR Phishing

In 2023, a new phishing threat emerged that took the cybersecurity world by storm: the QR phishing email. This simple yet effective method bypasses common security controls, posing a significant risk to organizations and individuals. Here’s how it works and what can be done to protect against it.

How QR Phishing Emails Work

The typical QR phishing email is deceptively simple. Often, it contains nothing more than a single image designed to look like a legitimate Microsoft authentication Multi-Factor Authentication (MFA) message. Given how accustomed many of us are to seeing these messages, it’s easy to see why victims would scan the QR codes with their mobile devices without a second thought.

However, once scanned, the QR code directs the user to a fake Microsoft login page. Here, the user is prompted to enter their credentials, unknowingly handing over their login information to cybercriminals. This method is particularly effective because mobile devices frequently operate outside the protective boundaries of an organization’s security controls.

Why This Method Bypasses Traditional Security

The key to the success of QR phishing emails lies in their  ability to circumvent standard email security measures. Traditional security solutions, such as Microsoft Defender for Office 365, are designed to scan email attachments and URLs to detect phishing attempts or malicious files. Using QR codes, threat actors can embed links to malicous content directly into the body and evade detection by posing as a harmless image to email filters. Furthermore, it is highly likely that a security team will lack telemetry over the mobile device used to scan the QR code, which means any connections to a malicious domain may go undetected.

Protecting Against QR Phishing Emails

User Education

The most effective defense against social engineering attacks, including QR phishing, is user education. It’s crucial for organizations to train their employees to recognize and respond appropriately to phishing attempts. This includes being wary of unsolicited QR codes and understanding the risks associated with scanning them.

Enhanced Detection and Prevention for Mobile Devices

 Security teams should consider enrolling users’ mobile devices into their security solutions to ensure they have the necessary telemetry in place. This enrollment can help monitor and respond to potential threats, especially when users inadvertently connect to malicious domains through QR codes

Proactive Monitoring

For Ontinue customers, proactive monitoring has become a critical part of their defense strategy. By closely monitoring user activity following the receipt of an email, scanning of a QR code, and use of credentials, suspicious behavior can be identified and mitigated more effectively.

Image Detection Mechanisms

Security vendors, such as Microsoft Defender for Office 365, have enhanced their capabilities to detect and block emails containing QR codes during mail flow to combat the emerging threat of QR code phishing. These improvements aim to prevent malicious emails from reaching users’ mailboxes by analyzing and recognizing QR codes embedded within email content. Organisations should therefore review their current tool set to ensure they can sufficiently detect QR codes embedded into emails.

The rise of QR phishing emails in 2023 is a stark reminder that cyber threats are continually evolving. While traditional security measures are essential, they must be complemented by user education and advanced detection technologies to stay ahead of these ever-changing tactics. By staying informed and vigilant, we can better protect ourselves and our organizations from these sophisticated phishing attacks.

Read our full End of Year 2023 Threat Intelligence report from our Advanced Threat Operations team.

Stay tuned for our 1H 2024 Threat Intelligence Report coming soon!