I think all of us are aware of what phishing is. It is basically the use of an email to target a victim. This is a form of social engineering where the attacker wants to get something from the target. The two most common attacks with this are:
– Download or open an attachment that is malicious.
– Click a link that redirects the user to a malicious site. This often leads to trying to trick the user into entering their credentials.
There is a fairly new tactic that is becoming more popular that uses QR codes instead of a typical link.
You have most likely seen QR codes before. Here is a simple example:
If you scan the QR code above with your phone’s camera it should highlight and show the link (https://www.developsec.com). Once it identifies the link, you should have the option to go to the site.
This technique adds a unique twist to your typical phishing attacks. Since the URL is embedded in the image, it may be much more difficult for today’s tools to detect this and block it from your mailbox. With just a link it is easier to block known malicious domains. It will be interesting to see if vendors start adding functionality to scan the codes and visit the links to try and determine if they are safe or not.
Another aspect to this is that it typically will get the user to move from their work device to a mobile device to scan the QR code. There may be less controls on your mobile device and many people will have work stuff on their personal phones. This can make tracking the exploitation of this more difficult.
What can you do?
Just like all other phishing emails, the biggest key is to use common sense. Were you expecting an email with a QR code to scan? Does the email seem legitimate? When in doubt, don’t scan the code.
Update 12/13/23
Microsoft announced that they have added protections against QR code phishing with Defender for Office 365 – https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/protect-your-organizations-against-qr-code-phishing-with/ba-p/4007041.