chat
expand_more

QR Code Phishing Attacks: New Abnormal Capabilities Launched to Protect Customers From Quishing

Discover the risk of these image-based QR attacks and how Abnormal’s AI-native detection system protects you.
October 30, 2023

QR codes have become increasingly popular, especially in the post-COVID-19 era as they have been used to foster connections. These codes provide convenient, contactless, and efficient ways to stay in touch and share information—for everything from marketing campaigns to restaurant menus.

Unfortunately, bad actors have exploited this new familiarity to compromise users. According to Abnormal data, 17% of all attacks that bypass native spam/junk filters use QR codes. This is especially concerning because QR code attacks can be difficult to detect due to their limited text content and heavy reliance on image attachments. This significantly reduces the amount of signals available to email security solutions to detect and extract information in order to catch an attack. To combat this threat, we are excited to announce the release of enhanced QR code detection capabilities.

How Bad Actors Exploit QR Codes to Execute Quishing Attacks

Attackers are increasingly crafting emails that contain an image attachment of a malicious QR code. These malicious QR codes often link to what appears to be a legitimate website, such as Google or Microsoft login pages, and prompt recipients to enter their login credentials. If entered, attackers can steal those credentials and use them to compromise additional services or launch additional attacks. According to internal data sources, credential phishing accounts for about 89% of all QR code-based attacks, with invoice fraud and extortion rounding out the top three attack types.

Real-World Quishing Attack Stopped by Abnormal

Let’s take a look at a real-world credential phishing attack that was stopped by Abnormal. In this attack, the threat actor crafted a phishing email prompting the recipient to scan a malicious QR code to reset the multi-factor authentication for their Microsoft account.

QR 1

The QR code links to a malicious page posing as a legitimate Microsoft login page and encourages the recipient to log in to their account. If the recipient were to enter their login credentials, the attacker would be able to steal the credentials and compromise the account.

QR 2

Abnormal detected this attack by analyzing behavioral signals and parsing the QR code. With its behavioral signals, Abnormal identified that this email was coming from an unusual sender and domain. With the QR code detector, Abnormal identified that the email contained a QR code with a suspicious link. The additional signals extracted from parsing the QR codes, combined with the behavioral analysis, puts Abnormal Security in the best position to detect these attacks.

QR 3
QR 4

The Abnormal Approach to Stopping QR Code Phishing Attacks

QR codes can replace ‌links previously used in many types of link-based phishing attacks. Any solution that relies purely on the reputation of the domains in the emails cannot effectively detect these attacks without processing every image in every email, which would very quickly result in scaling issues.

A key distinction of Abnormal’s AI-native detection engine is its ability to utilize behavioral signals to detect anomalies seen in sender-related attributes, receiver-based attributes, and attachment or link-based signals. With this approach, Abnormal is able to detect thousands of QR code attacks per week without specifically detecting and parsing QR codes, including this quishing campaign detected in late 2021. However, we understand the severity of QR code attacks and are committed to improving detection, which is why we are excited to announce that Abnormal has updated its defense strategies and added the capability to detect QR codes and parse links from them in attachments. This applies to images as well as PDF Attachments. The signals extracted from QR codes will be ingested by the detection engine which strengthens its ability to detect malicious activity.

The combination of behavioral AI detection, with the ability to further process images to detect QR codes and parse the corresponding information, provides a powerfully complete solution to combat the rise of QR code phishing attacks.

Why doesn’t Abnormal block all emails containing QR codes?

With QR code phishing attacks increasing in frequency, organizations may be tempted to seek solutions that block all emails containing QR codes. However, this isn’t an effective solution for a variety of reasons:

  • Legitimate Usage: QR codes are deployed legitimately for easy access to information sharing. Blocking them unilaterally could lead to critical false positives, causing a disruption in business for users. Our data indicates, >50% of images with QR codes can be safe or legitimate business emails.

  • Ineffective: Cyber threats are always evolving. Attackers can apply techniques like obfuscation and embedding QR codes within images to bypass a block filter.

  • It’s Not That Easy: Scanning every email to identify and block all QR codes would consume significant amounts of processing and could cause delays in remediation. The combination of behavioral AI with the ability to parse QR codes ensures high detection efficacy without sacrificing the time to remediate.

The Future of Quishing and How You’re Still Protected

As QR codes become increasingly commoditized, threat actors will continue to use them as a tool in their phishing campaigns. Today, attackers use malicious QR codes to impersonate legitimate QR codes that are often part of the process when adopting multi-factor authentication, as seen in the real-world attack above. Tomorrow, attackers might imitate legitimate QR codes used in file sharing, invoice payment, or marketing emails to gain further access to an organization’s sensitive data and finances. To prevent these advanced attacks, Abnormal will continue to invest resources to strengthen its detection engine, which now analyzes tens of thousands of signals provided by its behavioral AI and QR code parsing to identify quishing attacks.

Interested in seeing the Abnormal solution to the email security problem? Schedule a demo today.

Schedule a Demo
QR Code Phishing Attacks: New Abnormal Capabilities Launched to Protect Customers From Quishing

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B SOC Prod
Learn how AI-driven automation boosts SOC productivity by reducing false positives, addressing skills gaps, and enhancing threat detection. Discover strategies to future-proof your SOC and strengthen cybersecurity defenses.
Read More
B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More