The IT Nerd

Global cybersecurity software and solutions provider Fortra has discovered a sophisticated QR code phishing campaign specifically targeting Microsoft Office 365 users across various industries, including finance and healthcare. In this campaign, employees are tricked into scanning a QR code sent through a blank email. That code redirects them to a highly personalized phishing page tailored to look like their company’s Office 365 login portal.

Now at this time, I don’t have a link to send you to read this document on for yourself. But here’s how the campaign works:

• The target, because this is a targeted attack, gets an email that contains a PDF. The PDF claims it is an “Enhanced Bonus Distribution Strategy” from HR and requests that the user scan a QR code to access the document.
• Embedded in the QR code was a phishing redirect link that takes the user to a fake Microsoft Identity Verification Check. Upon analyzing the source code of this page, it was discovered two base64 encoded strings. One decoded string is a URL for a site hosting an email list with n290,000 emails in it, and the other goes to the Office365 phishing attack. It was also discovered in the same code that if the users email address is in the email list, they are permitted to continue to the next part of the phish.
• The background of the Office365 phishing site changes to reflect the company name based on the users email domain. If the users email address is not found in the list, they are given four chances to input their email and then redirected to a random Wikipedia article. The user is given four chances so the attacker can harvest extra email addresses.

Why this matters:

• QR code phishing attacks are becoming more prevalent due to the reliance on remote and hybrid work environments, which often use QR codes for authentication, document sharing, and security. While often perceived as convenient or harmless, they are now being weaponized to bypass traditional email security measures.
• The phishing campaign was designed specifically to exploit Office 365, a platform used by over a million companies globally. With over 290,000 email addresses targeted in this attack, this finding represents a major security risk for companies relying on Office 365.
• The high level of personalization in the phishing attacks can easily trick even trained employees, increasing the risk of credential theft and data breaches.
• QR codes are under the radar for many cybersecurity protocols, as most rely on anti-phishing tools that scan links in emails, creating blind spots for security teams.

Thus the take home message is that scanning QR codes is becoming a risky endeavour. Thus if you get one from via email from someone that you don’t know, or that you don’t expect, your best course of action is to perhaps delete it and report it to your IT department as it might be dangerous.

This entry was posted on September 15, 2024 at 8:54 am and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.