chat
expand_more

New Quishing Campaign Shows How Threat Actors Innovate to Bypass Security

What is unique to this campaign is that these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls
October 26, 2021

Between September 15, 2021, and October 13, 2021, Abnormal identified and blocked almost 200 emails sent to our customers—all of which were part of a phishing campaign attempting to collect Microsoft credentials. That in itself was not necessarily unique, as Microsoft 365 login information is one of the most sought after sets of credentials.

What is unique is that these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls. All the QR code images were created the same day they were sent, making it unlikely that they have been previously reported and would be recognized by a security blocklist. In total, six unique profiles were used to send messages for the campaign, with most designed to appear related to the same industry as the target.

To run their scheme, the attackers used compromised email accounts, exploiting the victim organization’s legitimate Outlook infrastructure to send the QR codes themselves. Phishing pages at the end of the QR code scans were hosted using an enterprise survey service and connected to Google or Amazon IP addresses.

Evading URL Detection with QR Imagery

An early version of this message was sent in September and used a URL link hidden behind an image of what appears to be an audio file. While this commonplace tactic was somewhat creatively used, unfortunately for the malicious actors, it was ultimately detected and identified as a threat by another security service.

Quishing email with image link disguised as .wav image

Initial test email using link behind “.wav” image.

Realizing that this tactic didn’t work, the actor decided to iterate on it until they found something that did. In the second round of attempts, they replaced the attachment with a QR, or “quick response” code appearing in line with the body of the email. This kind of QR code used in phishing emails is known by the unfortunate name “quishing,” which was in the news in July 2021, when the Better Business Bureau released a scam alert warning consumers about QR codes.

Quishing email with a QR code

Example of phishing email using a QR code.

While the attack itself may get through security measures due to its uniqueness, it remains somewhat unclear how the attacker expected the target to fall victim to the scheme, given that QR codes cannot be clicked like a link or opened like an attachment.

Our best guess on how this would play out is that the victim would:

  1. Open the email on their computer.

  2. Use their phone to scan the QR code with their phone camera, opening the phone’s internet browser and directing them to the phishing page.

  3. Enter their Microsoft credentials in the phishing page.

The problem here lies somewhat with the design. Were the actions on each device switched around, with the victim first opening the phishing email on their phone, how would they scan the QR code? Does this actor expect them to go back and open it on their computer? Or send the email to the printer? Use another phone? At what point does the victim begin to suspect a scam?

Sending Emails and Hosting Phishing Pages

This campaign stands out as it used compromised infrastructure to send phishing emails, and an enterprise survey service along with Amazon and Google services to host the phishing pages. From the start, this specific attacker has exploited a legitimate Outlook account to bypass email security controls, coming from a known approved sender IP address and often passing DMARC entirely.

Typically, the email header and sending infrastructure of a phishing email can provide useful information, indicating the specifics of the attacker’s device, details of how the email message was sent, or their IP address, which can be used to determine their geolocation. You may even get lucky enough to identify their real email address in domain registrant records, if they used poor operational security while registering the look-alike spoofed domain. In this case, security is left only with information pointing to the email intrusion victims themselves, and three major service providers to turn to for more information. Good luck with that.

Fake Microsoft credentials phishing page from a QR code

Example of the Microsoft credentials phishing page.

Additionally, although all the emails and phishing pages are in English, the actor uses a German language reCAPTCHA at the bottom of their phishing page, below the form. Each phishing page is connected to multiple IP addresses, all of which are located in the United States or Germany and registered to either Amazon or Google. Perhaps the survey service believes the actor to be located in Germany, and therefore provides the reCAPTCHA in the user’s primary language.

Login page with recaptcha from Quishing attack

Voicemail phishing page with German-language reCAPTCHA.

Either way, this could be a stumbling point for targets in the United States, particularly because the rest of the page is written in English.

Detecting the Quishing Attack

The use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs. It’s only by understanding that the account is compromised—combined with an understanding of the intent of the email—that this new (and fairly innovative) attack type can be detected.

In this case, Abnormal is able to detect the compromised account and thus understand that emails coming from the account might be malicious. When combined with other signs, like unique sender data and suspicious content, it becomes clear that these emails are malicious and must be stopped before they reach their targets.

New Quishing Campaign Shows How Threat Actors Innovate to Bypass Security

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B E Rate
Discover how AI-powered email protection ensures a secure digital learning environment.
Read More
B Healthcare Industry Attack Trends Blog
Targeted attacks on the healthcare industry are on the rise. Explore the latest threat trends and learn how to protect your organization.
Read More
B URL
Explore how attackers exploit rewritten URLs to gain unauthorized access, highlighting traditional security vulnerabilities and the need for modern tools.
Read More
B SOC Experts
Explore insights from SOC leaders on the evolving landscape of social engineering threats, highlighting human vulnerabilities and strategies to enhance cybersecurity.
Read More
B Cybersecurity Awareness Month Engage Educate Empower
Happy Cybersecurity Awareness Month! Make sure your workforce is prepared to combat emerging threats with these 5 tips.
Read More
B Top Mortgage Lender Replaces Proofpoint with Abnormal
Discover how a leading mortgage lender saved money and stopped more attacks by replacing its Proofpoint SEG with Abnormal’s API-based behavioral AI solution.
Read More