Beginning in May 2023, Cofense has observed a large phishing campaign utilizing QR codes targeting the Microsoft credentials of users from a wide array of industries. The most notable target, a major Energy company based in the US, saw about 29% of the over 1000 emails containing malicious QR codes. Other top 4 targeted industries include Manufacturing, Insurance, Technology, and Financial Services seeing 15%, 9%, 7%, and 6% of the campaign traffic respectively. Most of the phishing links were comprised of Bing redirect URLs, but other notable domains include krxd[.]com (associated with the Salesforce application), and cf-ipfs[.]com (Cloudflare’s Web3 services). Learn more about Web3 abuse. Historically, QR codes are not a popular choice due to the limiting nature of how QR codes are interacted with. However, they have several advantages over a phishing link embedded directly in an email. QR code delivery methods have a much better chance of reaching an inbox as the phishing link is hiding inside the QR image, while the QR image is embedded inside a PNG image or PDF attachment.
Key Points
- A campaign has been observed delivering emails that spoof Microsoft security notifications that contain a PNG or PDF attachments in emails that ask a user to scan a QR code. The most notable target of the campaign is a major US Energy company.
- The average month-to-month growth percentage of the campaign is more than 270%. The overall campaign has increased by more than 2,400% since May 2023
- QR Codes are not historically popular as they are limited in the way a user can interact with them. Scanning a QR code is limited to the mobile device used, which provides a user with a sneak peak of the link embedded in the QR code and verifies if the user wishes to go to the link...Read More!
