New Quishing Campaign Shows How Threat Actors Innovate to Bypass Security

October 26, 2021

Between September 15, 2021, and October 13, 2021, Abnormal identified and blocked almost 200 emails sent to our customers—all of which were part of a phishing campaign attempting to collect Microsoft credentials. That in itself was not necessarily unique, as Microsoft 365 login information is one of the most sought after sets of credentials.

What is unique is that these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls. All the QR code images were created the same day they were sent, making it unlikely that they have been previously reported and would be recognized by a security blocklist. In total, six unique profiles were used to send messages for the campaign, with most designed to appear related to the same industry as the target.

To run their scheme, the attackers used compromised email accounts, exploiting the victim organization’s legitimate Outlook infrastructure to send the QR codes themselves. Phishing pages at the end of the QR code scans were hosted using an enterprise survey service and connected to Google or Amazon IP addresses.

Evading URL Detection with QR Imagery

An early version of this message was sent in September and used a URL link hidden behind an image of what appears to be an audio file. While this commonplace tactic was somewhat creatively used, unfortunately for the malicious actors, it was ultimately detected and identified as a threat by another security service.

Quishing wav email

Initial test email using link behind “.wav” image.

Realizing that this tactic didn’t work, the actor decided to iterate on it until they found something that did. In the second round of attempts, they replaced the attachment with a QR, or “quick response” code appearing in line with the body of the email. This kind of QR code used in phishing emails is known by the unfortunate name “quishing,” which was in the news in July 2021, when the Better Business Bureau released a scam alert warning consumers about QR codes.

Quishing qr email

Example of phishing email using a QR code.

While the attack itself may get through security measures due to its uniqueness, it remains somewhat unclear how the attacker expected the target to fall victim to the scheme, given that QR codes cannot be clicked like a link or opened like an attachment.

Our best guess on how this would play out is that the victim would:

  1. Open the email on their computer.

  2. Use their phone to scan the QR code with their phone camera, opening the phone’s internet browser and directing them to the phishing page.

  3. Enter their Microsoft credentials in the phishing page.

The problem here lies somewhat with the design. Were the actions on each device switched around, with the victim first opening the phishing email on their phone, how would they scan the QR code? Does this actor expect them to go back and open it on their computer? Or send the email to the printer? Use another phone? At what point does the victim begin to suspect a scam?

Sending Emails and Hosting Phishing Pages

This campaign stands out as it used compromised infrastructure to send phishing emails, and an enterprise survey service along with Amazon and Google services to host the phishing pages. From the start, this specific attacker has exploited a legitimate Outlook account to bypass email security controls, coming from a known approved sender IP address and often passing DMARC entirely.

Typically, the email header and sending infrastructure of a phishing email can provide useful information, indicating the specifics of the attacker’s device, details of how the email message was sent, or their IP address, which can be used to determine their geolocation. You may even get lucky enough to identify their real email address in domain registrant records, if they used poor operational security while registering the look-alike spoofed domain. In this case, security is left only with information pointing to the email intrusion victims themselves, and three major service providers to turn to for more information. Good luck with that.

Quishing landing

Example of the Microsoft credentials phishing page.

Additionally, although all the emails and phishing pages are in English, the actor uses a German language reCAPTCHA at the bottom of their phishing page, below the form. Each phishing page is connected to multiple IP addresses, all of which are located in the United States or Germany and registered to either Amazon or Google. Perhaps the survey service believes the actor to be located in Germany, and therefore provides the reCAPTCHA in the user’s primary language.

Quishing recaptcha

Voicemail phishing page with German-language reCAPTCHA.

Either way, this could be a stumbling point for targets in the United States, particularly because the rest of the page is written in English.

Detecting the Quishing Attack

The use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs. It’s only by understanding that the account is compromised—combined with an understanding of the intent of the email—that this new (and fairly innovative) attack type can be detected.

In this case, Abnormal is able to detect the compromised account and thus understand that emails coming from the account might be malicious. When combined with other signs, like unique sender data and suspicious content, it becomes clear that these emails are malicious and must be stopped before they reach their targets.

Interested in learning how Abnormal stops quishing attacks? Request a demo today for a full overview.

Related Posts

B 12 03 22 SIEM
Learn about Abnormal’s enhanced SIEM export schema, which provides centralized visibility into email threats
Read More
Blog phishing cover
The phishing email is one of the oldest and most successful types of cyberattacks. Attackers have long used phishing as a common attack vector to steal sensitive information or credentials from their victims. While most phishing emails are relatively simple to spot, the number of successful attacks has grown in recent years.
Read More
Blog brand cover
For those of you who have visited the Abnormal website over the last month, you’ve seen something different—a redesigned brand focused on precision. It’s new and innovative, and different from any other cybersecurity company, because it was created with one thing in mind: our customers.
Read More
B 11 22 21 AAA
At Abnormal, our customers have always been our biggest priority. Customer obsession is one of our five company values, and we live this every single day as we provide the best email security protection available for the hundreds of companies who entrust us to protect their mailboxes.
Read More
Blog microsoft abnormal cover
Before we jump into modern threats, I think it’s important to set the stage ​​since email has been around. Since email existed, threat actors targeted email users with malicious messages, general spam, and different ways to take advantage of the platform. Then of course, more dangerous attacks started to come up… things like malware and other viruses.
Read More
Blog black friday scam cover
While cybersecurity awareness is a year-round venture, it is especially important to be mindful during certain times of the year. With Thanksgiving here in the United States on Thursday, our thoughts will likely be on our family and friends and everything we have to be thankful for this holiday season.
Read More
Blog automation workflows cover
Our newest platform capabilities help customers streamline critical security workflows, like triaging phishing mailbox submissions or triggering tickets to investigate account takeovers, through automated playbooks. Doing so can decrease mean time to respond (MTTR) to incidents, further reducing any potential risk to the organization and eliminating manual workflows to save time and increase the efficiency of IT and security teams.
Read More
Blog tsa scam cover
On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. The email wasn’t sent from a .gov domain, but the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at another quasi-legitimate-looking website.
Read More
Blog pyspark cover
At Abnormal Security, we use a data science-based approach to keep our customers safe from the most advanced email attacks. This requires processing huge amounts of data to train machine learning models, build datasets, and otherwise model the typical behavior of the organizations we’re protecting.
Read More
Blog tiktok attack cover
As major social media platforms have expanded the ability of creators to monetize their content in the last few years, they and their users have increasingly found themselves the targets of malicious activity. TikTok is now no exception.
Read More
Blog ransomware guide cover
While various state agencies and the private sector keep track of ransomware attacks and related tactics worldwide, malicious actors change and evolve their ransomware strategies all the time. We’ve put together a comprehensive guide that will define ransomware, how to detect it, and what steps to take if you’ve fallen victim to a ransomware virus attack.
Read More
Blog detection efficacy cover
One of the key objectives of the Abnormal platform is to provide the highest precision detection to block all never-before-seen attacks. This ranges from socially-engineered attacks to account takeovers to everyday spam, and the platform does it without customers needing to create countless rules like with traditional secure email gateways.
Read More