New Quishing Campaign Shows How Threat Actors Innovate to Bypass Security

What is unique to this campaign is that these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls
October 26, 2021

Between September 15, 2021, and October 13, 2021, Abnormal identified and blocked almost 200 emails sent to our customers—all of which were part of a phishing campaign attempting to collect Microsoft credentials. That in itself was not necessarily unique, as Microsoft 365 login information is one of the most sought after sets of credentials.

What is unique is that these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls. All the QR code images were created the same day they were sent, making it unlikely that they have been previously reported and would be recognized by a security blocklist. In total, six unique profiles were used to send messages for the campaign, with most designed to appear related to the same industry as the target.

To run their scheme, the attackers used compromised email accounts, exploiting the victim organization’s legitimate Outlook infrastructure to send the QR codes themselves. Phishing pages at the end of the QR code scans were hosted using an enterprise survey service and connected to Google or Amazon IP addresses.

Evading URL Detection with QR Imagery

An early version of this message was sent in September and used a URL link hidden behind an image of what appears to be an audio file. While this commonplace tactic was somewhat creatively used, unfortunately for the malicious actors, it was ultimately detected and identified as a threat by another security service.

Quishing email with image link disguised as .wav image

Initial test email using link behind “.wav” image.

Realizing that this tactic didn’t work, the actor decided to iterate on it until they found something that did. In the second round of attempts, they replaced the attachment with a QR, or “quick response” code appearing in line with the body of the email. This kind of QR code used in phishing emails is known by the unfortunate name “quishing,” which was in the news in July 2021, when the Better Business Bureau released a scam alert warning consumers about QR codes.

Quishing email with a QR code

Example of phishing email using a QR code.

While the attack itself may get through security measures due to its uniqueness, it remains somewhat unclear how the attacker expected the target to fall victim to the scheme, given that QR codes cannot be clicked like a link or opened like an attachment.

Our best guess on how this would play out is that the victim would:

  1. Open the email on their computer.

  2. Use their phone to scan the QR code with their phone camera, opening the phone’s internet browser and directing them to the phishing page.

  3. Enter their Microsoft credentials in the phishing page.

The problem here lies somewhat with the design. Were the actions on each device switched around, with the victim first opening the phishing email on their phone, how would they scan the QR code? Does this actor expect them to go back and open it on their computer? Or send the email to the printer? Use another phone? At what point does the victim begin to suspect a scam?

Sending Emails and Hosting Phishing Pages

This campaign stands out as it used compromised infrastructure to send phishing emails, and an enterprise survey service along with Amazon and Google services to host the phishing pages. From the start, this specific attacker has exploited a legitimate Outlook account to bypass email security controls, coming from a known approved sender IP address and often passing DMARC entirely.

Typically, the email header and sending infrastructure of a phishing email can provide useful information, indicating the specifics of the attacker’s device, details of how the email message was sent, or their IP address, which can be used to determine their geolocation. You may even get lucky enough to identify their real email address in domain registrant records, if they used poor operational security while registering the look-alike spoofed domain. In this case, security is left only with information pointing to the email intrusion victims themselves, and three major service providers to turn to for more information. Good luck with that.

Fake Microsoft credentials phishing page from a QR code

Example of the Microsoft credentials phishing page.

Additionally, although all the emails and phishing pages are in English, the actor uses a German language reCAPTCHA at the bottom of their phishing page, below the form. Each phishing page is connected to multiple IP addresses, all of which are located in the United States or Germany and registered to either Amazon or Google. Perhaps the survey service believes the actor to be located in Germany, and therefore provides the reCAPTCHA in the user’s primary language.

Login page with recaptcha from Quishing attack

Voicemail phishing page with German-language reCAPTCHA.

Either way, this could be a stumbling point for targets in the United States, particularly because the rest of the page is written in English.

Detecting the Quishing Attack

The use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs. It’s only by understanding that the account is compromised—combined with an understanding of the intent of the email—that this new (and fairly innovative) attack type can be detected.

In this case, Abnormal is able to detect the compromised account and thus understand that emails coming from the account might be malicious. When combined with other signs, like unique sender data and suspicious content, it becomes clear that these emails are malicious and must be stopped before they reach their targets.

New Quishing Campaign Shows How Threat Actors Innovate to Bypass Security

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More
B Addressing Account Takeovers Blog
Discover how security leaders are protecting their organizations against account takeover with insights from our survey of 300 cybersecurity stakeholders.
Read More