Phishing is one of the most common and effective cyberattack vectors that threat actors use to compromise email accounts, steal sensitive data, and deliver malware. Recently, we have observed a new trend in phishing campaigns that leverage QR codes embedded in emails to evade detection and trick users into visiting malicious links. QR codes are two-dimensional barcodes that can store various kinds of data, such as URLs, text, or contact information. They are widely used for convenience and ease of access, especially with mobile devices. However, they can also pose a security risk, as users may not be able to tell what the QR code contains or where it leads before scanning it with their devices.
To help our customers defend against this emerging threat, Microsoft Defender for Office 365 has introduced several enhancements to its prevention capabilities that can detect and block QR code-based attacks. Check out this blog to learn more about QR codes and how Defender for Office 365 is protecting end users against such attacks: Protect your organizations against QR code phishing with Defender for Office 365
Along with the prevention and detection capabilities, we are happy to announce that Microsoft Defender for Office 365 has introduced several enhancements to its investigation, hunting and response capabilities to help security teams to hunt and respond to such threat. It will also help the security teams to gauge the volume of QR code-based attacks in their organization which will help then define set processes to ensure secure posture and educating their users against potential risks from such attack patterns.
This blog will cover how security teams can identify the URLs embedded within QR codes in an email across their investigation and hunting workflows. This spans across our Defender for Office 365 experiences Email Entity, Threat Explorer and M365 XDR experiences like Advanced Hunting can use the identifiers to investigate, monitor alert or trigger automated investigations, hunt and remediate QR code based attacks more effectively and efficiently.
How to hunt and respond to QR code-based attacks?
URLs extracted from QR code will have the URL source/location identifier as “QR code”. Below are the examples how customers can filter for URLs extracted from QR code-
1) Email Entity: The URL tab in Email Entity page will display the “Source” value as “QR code” for the URLs extracted from QR code within email. During the mail flow processing, based on certain parameters, Defender for Office 365 sandboxes URLs to analyze the behavior and to see the sandboxing results, users can click on the URL to navigate to the deep analysis tab and see the detonation details including the screenshot of the landing page of the URL. If the behavior of URL is found to be malicious, users can submit the email to Microsoft and take remedial actions using the action wizard integrated in Email Entity page. Alternatively, users can also trigger automated investigation to investigate the email, sender or recipients.
Check out this blog to learn more about supported actions via Take Action wizard: Enhanced action experience (Action wizard V2) from Email entity / Summary panel
2) Threat Explorer: Security analysts will be able to filter with the URL Source filter under URL section of Explorer’s filter dropdown which now supports the “QR code” value. By applying this filter, users will be able to filter out the emails having at least one URL extracted from QR code. This followed by Threat Type and URL count filter can help in identifying malicious URLs. Users can narrow down the search and take required remediation actions or they can navigate to Email Entity page to perform deeper investigation and take appropriate remediation action.
3) Advanced Hunting: As the phishing attacks are not limited to emails but extend to the endpoint devices and identity information, Microsoft Defender has XDR capable Advanced Hunting solution for extended hunting across email, endpoint and identity data. EmailUrlInfo table under Email & collaboration schema of Advanced Hunting contains data of URLs extracted and logged from an email. The security analysts will be able to see the URL location in EmailUrlInfo table as “QRCode” for the URLs extracted from QR code. Users can also join EmailUrlInfo table with EmailEvents table to get the metadata of the email and take appropriate remediation action.
In addition to KQL based experience, analysts can also use the query builder experience to filter and hunt for QR code based attacks using the UrlLocation filter as shown in the below image-
Here are a few sample queries on how to hunt for QR code-based attacks:
Volume of inbound emails with QR code in last 30 days:
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == “Inbound”
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == “QRCode”
| summarize dcount(NetworkMessageId) by bin(Timestamp, 1d)
| render timechart
Emails delivered having URLs in the form of QR codes:
EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == “Inbound”
| where DeliveryAction == “Delivered”
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == “QRCode”
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation
Emails with suspicious keywords in subject:
let SubjectKeywords = ()
{
pack_array(“authorize”, “authenticate”, “account”, “confirmation”, “QR”, “login”, “password”, “payment”, “urgent”, “verify”);
};
EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == “Inbound”
| where DeliveryAction == “Delivered”
| where Subject has_any (SubjectKeywords)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == “QRCode”
Note: Post delivery events such as ZAP can remove malicious emails containing QR codes. Security teams can monitor email ZAP alert (Email messages containing malicious URL removed after delivery), M365 incidents related to ZAP alerts and the corresponding automated investigation. Alternatively, security teams can trigger investigations from actions workflow or write custom detection rules to trigger custom alerts.
Hunting for adversary-in-the-middle (AiTM) phishing and user compromise: The downside of users not being able to decode what is hidden behind a QR code has been a major factor behind the attacks involving malicious QR codes. One such example is adversary-in-the-middle (AiTM) attacks. Adversaries have the capability to design QR codes that reroute users to counterfeit versions of trusted websites, including banks, social media platforms, or online services. Once the unsuspecting user scans the QR code, they are promptly directed to a fraudulent phishing page. Upon authentication by the user, attackers seize the user’s session token, providing them with the means to execute various malicious activities, such as Business Email Compromise attacks and attempts to illicitly extract data. Conversely, attackers may also engineer QR codes that prompt users to unknowingly download malware onto their devices. These forms of attacks carry grave consequences, potentially leading to identity theft, financial detriment, data breaches, or compromise of the user’s device integrity.
Sample Advanced Hunting query for emails with QR codes from non-prevalent sender:
let senderprevalence =
EmailEvents
| where Timestamp between (ago(7d)..(now()-24h))
| where isnotempty(SenderFromAddress)
| summarize TotalEmailCount = dcount(NetworkMessageId) by SenderFromAddress
| where TotalEmailCount > 1;
let prevalent_Sender = senderprevalence
| where isnotempty (SenderFromAddress)
| distinct SenderFromAddress;
let QR_from_non_prevalent =
EmailEvents
| where EmailDirection == “Inbound”
| where Timestamp > ago(1d)
| where SenderFromAddress !in (prevalent_Sender)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == “QRCode”
| distinct SenderFromAddress,Url,NetworkMessageId;
QR_from_non_prevalent
Check out this blog to learn more about the AiTM attack pattern and hunting for similar attacks- Hunting for QR Code AiTM Phishing and User Compromise
Next Steps: In addition to conducting threat hunting activities and implementing remediation measures, there are several proactive steps that organizations can take to enhance their protection against potential attacks covering continuous monitoring along with providing essential training against such attacks to the end users. Here are a few steps security teams can take to ensure secure posture:
1) Write a custom detection rule: Custom detection rules are customizable rules that defined using advanced hunting queries. These rules facilitate proactive surveillance of suspicious events and activities, which allows security teams to have proactive monitors on the threat landscape in their organization. They can be scheduled for periodic execution, facilitating the generation of incidents/alerts and triggering automatic email remediation actions as per the rule configuration. To learn more about how to create and manage custom detection rules, check out – Create and manage custom detection rules in Microsoft Defender XDR | Microsoft Learn
With the new QR code-based emerging attack patterns, security teams can write a custom detection rule to check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code. Here’s a sample custom detection rule using sender prevalence over emails containing QR codes:
let QRCode_emails = EmailUrlInfo
| where Timestamp > ago (2d)
| where UrlLocation == “QRCode”
| distinct Url,NetworkMessageId;
let nMIDs = QRCode_emails | distinct NetworkMessageId;
// Extracting sender of the email with QRCode:
let senders_NMIDs = EmailEvents
| where Timestamp > ago (2d)
| where DeliveryLocation != “Blocked” // Only delivered or Junked emails are interesting
| where isnotempty(NetworkMessageId)
| where NetworkMessageId in (nMIDs)
| distinct Timestamp, NetworkMessageId, RecipientEmailAddress, SenderFromAddress, InternetMessageId, RecipientObjectId, ReportId;
let senders = senders_NMIDs
| distinct SenderFromAddress;
// Checking sender prevalence in the organization
let senderprevalence = EmailEvents
| where Timestamp between (ago(14d)..(now()-24h))
| where isnotempty(SenderFromAddress)
| where SenderFromAddress in (senders)
| summarize TotalEmailCount = count() by SenderFromAddress
| where TotalEmailCount > 1;
let prevalent_Sender = senderprevalence
| where isnotempty (SenderFromAddress)
| distinct SenderFromAddress;
// Checking if in clicked emails sender was not prevalent.
let nMIDs_from_non_prevalent_Senders = senders_NMIDs
| where SenderFromAddress !in (prevalent_Sender)
| distinct NetworkMessageId;
let QRCode_emails_from_non_prevalent_senders = QRCode_emails
| where NetworkMessageId in (nMIDs_from_non_prevalent_Senders)
| join kind=inner senders_NMIDs on NetworkMessageId
| project Timestamp,Url, NetworkMessageId, InternetMessageId, RecipientObjectId, ReportId;
QRCode_emails_from_non_prevalent_senders
2) Train users in your organization against QR code based attacks: Check out this blog – Train your users to be more resilient against QR code phishing to learn more about the recently launched two new QR code phishing training modules aimed at educating users against QR code-based phishing attacks