New Quishing Campaign Shows How Threat Actors Innovate to Bypass Security

October 26, 2021

Between September 15, 2021, and October 13, 2021, Abnormal identified and blocked almost 200 emails sent to our customers—all of which were part of a phishing campaign attempting to collect Microsoft credentials. That in itself was not necessarily unique, as Microsoft 365 login information is one of the most sought after sets of credentials.

What is unique is that these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls. All the QR code images were created the same day they were sent, making it unlikely that they have been previously reported and would be recognized by a security blocklist. In total, six unique profiles were used to send messages for the campaign, with most designed to appear related to the same industry as the target.

To run their scheme, the attackers used compromised email accounts, exploiting the victim organization’s legitimate Outlook infrastructure to send the QR codes themselves. Phishing pages at the end of the QR code scans were hosted using an enterprise survey service and connected to Google or Amazon IP addresses.

Evading URL Detection with QR Imagery

An early version of this message was sent in September and used a URL link hidden behind an image of what appears to be an audio file. While this commonplace tactic was somewhat creatively used, unfortunately for the malicious actors, it was ultimately detected and identified as a threat by another security service.

Quishing email with image link disguised as .wav image

Initial test email using link behind “.wav” image.

Realizing that this tactic didn’t work, the actor decided to iterate on it until they found something that did. In the second round of attempts, they replaced the attachment with a QR, or “quick response” code appearing in line with the body of the email. This kind of QR code used in phishing emails is known by the unfortunate name “quishing,” which was in the news in July 2021, when the Better Business Bureau released a scam alert warning consumers about QR codes.

Quishing email with a QR code

Example of phishing email using a QR code.

While the attack itself may get through security measures due to its uniqueness, it remains somewhat unclear how the attacker expected the target to fall victim to the scheme, given that QR codes cannot be clicked like a link or opened like an attachment.

Our best guess on how this would play out is that the victim would:

  1. Open the email on their computer.

  2. Use their phone to scan the QR code with their phone camera, opening the phone’s internet browser and directing them to the phishing page.

  3. Enter their Microsoft credentials in the phishing page.

The problem here lies somewhat with the design. Were the actions on each device switched around, with the victim first opening the phishing email on their phone, how would they scan the QR code? Does this actor expect them to go back and open it on their computer? Or send the email to the printer? Use another phone? At what point does the victim begin to suspect a scam?

Sending Emails and Hosting Phishing Pages

This campaign stands out as it used compromised infrastructure to send phishing emails, and an enterprise survey service along with Amazon and Google services to host the phishing pages. From the start, this specific attacker has exploited a legitimate Outlook account to bypass email security controls, coming from a known approved sender IP address and often passing DMARC entirely.

Typically, the email header and sending infrastructure of a phishing email can provide useful information, indicating the specifics of the attacker’s device, details of how the email message was sent, or their IP address, which can be used to determine their geolocation. You may even get lucky enough to identify their real email address in domain registrant records, if they used poor operational security while registering the look-alike spoofed domain. In this case, security is left only with information pointing to the email intrusion victims themselves, and three major service providers to turn to for more information. Good luck with that.

Fake Microsoft credentials phishing page from a QR code

Example of the Microsoft credentials phishing page.

Additionally, although all the emails and phishing pages are in English, the actor uses a German language reCAPTCHA at the bottom of their phishing page, below the form. Each phishing page is connected to multiple IP addresses, all of which are located in the United States or Germany and registered to either Amazon or Google. Perhaps the survey service believes the actor to be located in Germany, and therefore provides the reCAPTCHA in the user’s primary language.

Login page with recaptcha from Quishing attack

Voicemail phishing page with German-language reCAPTCHA.

Either way, this could be a stumbling point for targets in the United States, particularly because the rest of the page is written in English.

Detecting the Quishing Attack

The use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs. It’s only by understanding that the account is compromised—combined with an understanding of the intent of the email—that this new (and fairly innovative) attack type can be detected.

In this case, Abnormal is able to detect the compromised account and thus understand that emails coming from the account might be malicious. When combined with other signs, like unique sender data and suspicious content, it becomes clear that these emails are malicious and must be stopped before they reach their targets.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

0
Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More