Chris Swagler | September 14th, 2023

In a concerning development, a significant energy company based in the United States has fallen victim to a sophisticated phishing attack that exploits QR codes to infiltrate corporate email systems. This recent attack, revealed by a cybersecurity company, highlights a worrying trend in cybercriminals’ strategies to bypass security measures.

The campaign, discovered in May, involves using QR codes embedded within PNG image attachments. These QR codes act as a vehicle for delivering malicious links that target recipients’ Microsoft credentials. The threat operators employ convincing lures, often impersonating Microsoft security alerts, and manipulate a sense of urgency to prompt recipients to update their security settings. This, in turn, leads victims to a fraudulent Microsoft credential phishing page.

What sets this campaign apart is the innovative use of QR codes to deliver malicious content. The cybersecurity company noted that approximately 29% of the targeted emails were directed at a major U.S. energy company. However, the campaign’s reach extended beyond the energy sector, with manufacturing, insurance, technology, and financial services companies also being affected, receiving 15%, 9%, 7%, and 6% of phishing attempts, respectively.

While QR codes have been utilized in phishing attacks, this campaign marks the first time they have been employed on such a large scale. This suggests that cybercriminals are exploring new avenues to exploit this attack vector. QR codes possess several advantages over conventional phishing methods. They can evade Secure Email Gateways (SEGs), as these gateways are typically unable to scan QR codes, providing the threat operators with a considerable edge in penetrating email inboxes.

To enhance the effectiveness of their strategy, the perpetrators strategically employ QR codes with redirects through legitimate services such as Bing, Salesforce, and Cloudflare’s Web3. This redirection technique camouflages the destination of the malicious link, thus evading detection and increasing the chances of victim engagement. The threat operators also utilize base64 encoding to obfuscate the phishing link, further enhancing their success rate.

However, while QR codes offer a novel approach to phishing attacks, they still require user interaction to be effective. This mitigating factor underscores the importance of employee training in recognizing and thwarting such sophisticated threats. Employees aware of the uncommon nature of QR codes in email communication are more likely to be suspicious and refrain from scanning unknown codes.

Organizations should consider investing in ongoing training for their personnel to remain vigilant against evolving phishing techniques. Emphasizing a “trust but verify” approach and regular updates on emerging threats can empower employees to make informed decisions when encountering unfamiliar QR codes or links. While QR codes might serve as a new weapon in cybercriminals’ arsenals, a well-trained workforce remains the most robust line of defense against such attacks. Phishing attacks are the most common methods threat actors use to harvest legitimate credentials.

SpearTip’s team offers phishing training as mitigation to enhance skills related to defending against these threats. The exercise tests the discernment of companies’ teams, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environment. Our team creates phishing email simulations like those threat actors use and sends them throughout the organization. We provide insight and feedback to improve the cyber defenses of their team, leading to a profound decrease in the likelihood of being victimized by phishing scams. After the training, our team provides precise and thorough strategies to harden their environment and implement ongoing awareness training.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.