A novel phishing ploy — combining QR codes, expired Bing URL redirect links and spoofed Microsoft security emails — has researchers warning a massive campaign is likely in the works. Researchers say a large U.S. energy company has already been targeted in a test run for a wider upcoming Microsoft credential-stealing campaign.
The use of QR (quick response) codes by scammers is not new. They can be an effective way to trick mobile phone users into visiting malicious websites where they may unwittingly pass on credentials and personal information, or have funds stolen. The FBI even issued a warning about malicious QR codes last year.
In a blog post on Wednesday, Nathaniel Raymond, a cyber threat intelligence researcher with Cofense said his team is tracking an escalation of new QR code-based phishing campaigns over the past months as threat actors behind the attack hone their techniques.
Researchers had observed more than 1,000 emails containing malicious QR codes sent since the campaign began in May. The threat actors’ aim was to steal the Microsoft credentials of users from a wide range of industries, although a large, unnamed U.S.-based energy company had been the most prominent target, accounting for about 29% of the attacks.
“Most of the phishing emails contain PNG image attachments delivering Microsoft credential phishing links or phishing redirects via an embedded QR code, with the majority of them being Bing redirect URLs,” Raymond said in the post.
“Email lures came in the form of updating account security surrounding 2FA, MFA, and general account security,” he said.
Redirect URLs are generally used for marketing purposes and contain a “marketing string” used to track users’ search engine activity. In the case of this campaign, the URLs also contained a Base64 encoded phishing link plus the victim’s email address.
“This tactic of encoding phishing links in redirects and sending the victim’s email with it is not new,” Raymond wrote.
“What is important to note is that aside from hiding in QR codes, threat [actors] are abusing a trusted domain (bing.com) to carry [out] attacks. Abusing trusted domains, using obfuscation tactics, coupled with hiding the URLs inside QR codes embedded into a PNG or PDF attachment, helps ensure that emails bypass security and make it into inboxes.”
Other “trusted domains” Cofense observed the attackers using included krxd[.]com, which is associated with Salesforce’s SaaS solution, and cf-ipfs[.]com, used for Cloudflare’s Web3 services.
“Cofense has not historically seen large malicious campaign(s) utilizing QR codes. This may indicate that malicious actors are testing the efficacy of QR codes as a viable attack vector,” Raymond said.
The exponential month-on-month growth in the number of phishing emails sent by the threat actors since the campaign began in May appeared to support the researchers’ thesis.
While the major focus of the campaign had been the energy sector, and one large energy company in particular, the threat actors had also targeted other industries, most notably manufacturing, insurance, technology, and financial services.
There had been a large spike in emails sent in the second half of June, mainly targeting the large energy company, with activity ramping up again a month later, this time targeting the energy sector more broadly, plus other industries.
It remained to be seen, however, if the threat actor was seeing sufficient results to continue their campaign.
“Although QR codes are advantageous for getting malicious emails into user’s inbox, they may fall short of being efficient in getting the user to the phish,” Raymond said.
Mobile phones generally displayed a QR code’s target URL and asked the user to verify it before opening the page in a browser. While this offered a layer of protection, threat actors’ use of trusted URL redirects was an attempt to circumvent that protection.
