chat
expand_more

QR Code Phishing Attacks: New Abnormal Capabilities Launched to Protect Customers From Quishing

Discover the risk of these image-based QR attacks and how Abnormal’s AI-native detection system protects you.
October 30, 2023

QR codes have become increasingly popular, especially in the post-COVID-19 era as they have been used to foster connections. These codes provide convenient, contactless, and efficient ways to stay in touch and share information—for everything from marketing campaigns to restaurant menus.

Unfortunately, bad actors have exploited this new familiarity to compromise users. According to Abnormal data, 17% of all attacks that bypass native spam/junk filters use QR codes. This is especially concerning because QR code attacks can be difficult to detect due to their limited text content and heavy reliance on image attachments. This significantly reduces the amount of signals available to email security solutions to detect and extract information in order to catch an attack. To combat this threat, we are excited to announce the release of enhanced QR code detection capabilities.

How Bad Actors Exploit QR Codes to Execute Quishing Attacks

Attackers are increasingly crafting emails that contain an image attachment of a malicious QR code. These malicious QR codes often link to what appears to be a legitimate website, such as Google or Microsoft login pages, and prompt recipients to enter their login credentials. If entered, attackers can steal those credentials and use them to compromise additional services or launch additional attacks. According to internal data sources, credential phishing accounts for about 89% of all QR code-based attacks, with invoice fraud and extortion rounding out the top three attack types.

Real-World Quishing Attack Stopped by Abnormal

Let’s take a look at a real-world credential phishing attack that was stopped by Abnormal. In this attack, the threat actor crafted a phishing email prompting the recipient to scan a malicious QR code to reset the multi-factor authentication for their Microsoft account.

QR 1

The QR code links to a malicious page posing as a legitimate Microsoft login page and encourages the recipient to log in to their account. If the recipient were to enter their login credentials, the attacker would be able to steal the credentials and compromise the account.

QR 2

Abnormal detected this attack by analyzing behavioral signals and parsing the QR code. With its behavioral signals, Abnormal identified that this email was coming from an unusual sender and domain. With the QR code detector, Abnormal identified that the email contained a QR code with a suspicious link. The additional signals extracted from parsing the QR codes, combined with the behavioral analysis, puts Abnormal Security in the best position to detect these attacks.

QR 3
QR 4

The Abnormal Approach to Stopping QR Code Phishing Attacks

QR codes can replace ‌links previously used in many types of link-based phishing attacks. Any solution that relies purely on the reputation of the domains in the emails cannot effectively detect these attacks without processing every image in every email, which would very quickly result in scaling issues.

A key distinction of Abnormal’s AI-native detection engine is its ability to utilize behavioral signals to detect anomalies seen in sender-related attributes, receiver-based attributes, and attachment or link-based signals. With this approach, Abnormal is able to detect thousands of QR code attacks per week without specifically detecting and parsing QR codes, including this quishing campaign detected in late 2021. However, we understand the severity of QR code attacks and are committed to improving detection, which is why we are excited to announce that Abnormal has updated its defense strategies and added the capability to detect QR codes and parse links from them in attachments. This applies to images as well as PDF Attachments. The signals extracted from QR codes will be ingested by the detection engine which strengthens its ability to detect malicious activity.

The combination of behavioral AI detection, with the ability to further process images to detect QR codes and parse the corresponding information, provides a powerfully complete solution to combat the rise of QR code phishing attacks.

Why doesn’t Abnormal block all emails containing QR codes?

With QR code phishing attacks increasing in frequency, organizations may be tempted to seek solutions that block all emails containing QR codes. However, this isn’t an effective solution for a variety of reasons:

  • Legitimate Usage: QR codes are deployed legitimately for easy access to information sharing. Blocking them unilaterally could lead to critical false positives, causing a disruption in business for users. Our data indicates, >50% of images with QR codes can be safe or legitimate business emails.

  • Ineffective: Cyber threats are always evolving. Attackers can apply techniques like obfuscation and embedding QR codes within images to bypass a block filter.

  • It’s Not That Easy: Scanning every email to identify and block all QR codes would consume significant amounts of processing and could cause delays in remediation. The combination of behavioral AI with the ability to parse QR codes ensures high detection efficacy without sacrificing the time to remediate.

The Future of Quishing and How You’re Still Protected

As QR codes become increasingly commoditized, threat actors will continue to use them as a tool in their phishing campaigns. Today, attackers use malicious QR codes to impersonate legitimate QR codes that are often part of the process when adopting multi-factor authentication, as seen in the real-world attack above. Tomorrow, attackers might imitate legitimate QR codes used in file sharing, invoice payment, or marketing emails to gain further access to an organization’s sensitive data and finances. To prevent these advanced attacks, Abnormal will continue to invest resources to strengthen its detection engine, which now analyzes tens of thousands of signals provided by its behavioral AI and QR code parsing to identify quishing attacks.

Interested in seeing the Abnormal solution to the email security problem? Schedule a demo today.

Schedule a Demo
QR Code Phishing Attacks: New Abnormal Capabilities Launched to Protect Customers From Quishing

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More