New Quishing Campaign Shows How Threat Actors Innovate to Bypass Security

Between September 15, 2021, and October 13, 2021, Abnormal identified and blocked almost 200 emails sent to our customers—all of which were part of a phishing campaign attempting to collect Microsoft credentials. That in itself was not necessarily unique, as Microsoft 365 login information is one of the most sought after sets of credentials.

What is unique is that these messages contained QR codes offering access to a missed voicemail, handily avoiding the URL scan feature for email attachments present in secure email gateways and native security controls. All the QR code images were created the same day they were sent, making it unlikely that they have been previously reported and would be recognized by a security blocklist. In total, six unique profiles were used to send messages for the campaign, with most designed to appear related to the same industry as the target.

To run their scheme, the attackers used compromised email accounts, exploiting the victim organization’s legitimate Outlook infrastructure to send the QR codes themselves. Phishing pages at the end of the QR code scans were hosted using an enterprise survey service and connected to Google or Amazon IP addresses.

An early version of this message was sent in September and used a URL link hidden behind an image of what appears to be an audio file. While this commonplace tactic was somewhat creatively used, unfortunately for the malicious actors, it was ultimately detected and identified as a threat by another security service.

Realizing that this tactic didn’t work, the actor decided to iterate on it until they found something that did. In the second round of attempts, they replaced the attachment with a QR, or “quick response” code appearing in line with the body of the email. This kind of QR code used in phishing emails is known by the unfortunate name “quishing,” which was in the news in July 2021, when the Better Business Bureau released a scam alert warning consumers about QR codes.

While the attack itself may get through security measures due to its uniqueness, it remains somewhat unclear how the attacker expected the target to fall victim to the scheme, given that QR codes cannot be clicked like a link or opened like an attachment.

Our best guess on how this would play out is that the victim would:

1. Open the email on their computer.

2. Use their phone to scan the QR code with their phone camera, opening the phone’s internet browser and directing them to the phishing page.

3. Enter their Microsoft credentials in the phishing page.

The problem here lies somewhat with the design. Were the actions on each device switched around, with the victim first opening the phishing email on their phone, how would they scan the QR code? Does this actor expect them to go back and open it on their computer? Or send the email to the printer? Use another phone? At what point does the victim begin to suspect a scam?

This campaign stands out as it used compromised infrastructure to send phishing emails, and an enterprise survey service along with Amazon and Google services to host the phishing pages. From the start, this specific attacker has exploited a legitimate Outlook account to bypass email security controls, coming from a known approved sender IP address and often passing DMARC entirely.

Typically, the email header and sending infrastructure of a phishing email can provide useful information, indicating the specifics of the attacker’s device, details of how the email message was sent, or their IP address, which can be used to determine their geolocation. You may even get lucky enough to identify their real email address in domain registrant records, if they used poor operational security while registering the look-alike spoofed domain. In this case, security is left only with information pointing to the email intrusion victims themselves, and three major service providers to turn to for more information. Good luck with that.

Additionally, although all the emails and phishing pages are in English, the actor uses a German language reCAPTCHA at the bottom of their phishing page, below the form. Each phishing page is connected to multiple IP addresses, all of which are located in the United States or Germany and registered to either Amazon or Google. Perhaps the survey service believes the actor to be located in Germany, and therefore provides the reCAPTCHA in the user’s primary language.

Either way, this could be a stumbling point for targets in the United States, particularly because the rest of the page is written in English.

The use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs. It’s only by understanding that the account is compromised—combined with an understanding of the intent of the email—that this new (and fairly innovative) attack type can be detected.

In this case, Abnormal is able to detect the compromised account and thus understand that emails coming from the account might be malicious. When combined with other signs, like unique sender data and suspicious content, it becomes clear that these emails are malicious and must be stopped before they reach their targets.