Some QR Code Attacks Rise by 270% Each Month

Over the past year, QR (Quick Response) code phishing campaigns have surged within the cybersecurity industry. According to Microsoft, some attacks have been growing at a rate of 270% per month. 

Be Cautious of QR Codes in PDF Attachments

One reason for the growth is that attackers leverage QR codes in PDF email attachments to spear-phish corporate credentials from mobile devices. This technique is being dubbed quishing (a combination of “QR code” and “phishing”).

A recent example of this involves a fake email sent to Sophos employees (a cybersecurity company) about benefits and retirement plans in June 2024. The emails contained PDF attachments, which, when opened, displayed a QR code and messaging the document would expire in 24 hours.

One Sophos employee scanned the code with their phone, allowing the attacker to gather the employee’s credentials and MFA token. The attacker then attempted to use this information to access an internal application by successfully relaying the stolen MFA token in near real-time.

Sophos reports that internal controls over other aspects of the network login process prevented the attacker from gaining access to internal information or assets.

Why QR Code Phishing Is Hard to Spot

Phishing links containing QR codes are more likely to evade detection by security filters, and humans are less likely to notice that the URLs are suspicious.

“Also, most people use their phone’s camera to interpret the QR code, rather than a computer,” Sophos explained, “and it can be challenging to carefully scrutinize the URL that momentarily gets shown in the phone’s camera app.”

Since QR codes are typically scanned using a mobile device, the embedded URLs can often bypass traditional security defenses, such as URL blocking on desktop or laptop computers equipped with endpoint protection software. They may also evade firewalls designed to block known malicious web addresses.

How to Identify QR Code Phishing Campaigns

While the tactics, techniques, and procedures (TTPs) vary depending on which bad actor is at work, Microsoft Defender for Office 365 has detected an essential set of patterns in QR code phishing attacks, including but not limited to:

• URL redirection, where a click or tap takes you to a place you hadn’t intended to visit but to a forwarded URL
• Minimal to no text, which reduces the signals available for analysis and machine learning detection
• Exploiting a known or trusted brand, using their familiarity and reputation to increase the likelihood of interaction
• Exploiting known email channels that trusted, legitimate senders use
• Various social lures that include multifactor authentication, document signing, and more
• Embedding QR codes in attachments