In the ongoing battle against evolving threat techniques, security professionals continue to face challenges in detecting and preventing phishing attacks. Recently, the Sophos X-Ops team conducted an investigation into phishing attacks targeting their employees, uncovering a sophisticated method known as quishing.
The attackers utilized QR codes, a machine-readable encoding mechanism often used to share URLs quickly. Unlike traditional phishing emails, QR codes make it difficult to scrutinize the URL on a mobile device, where most people interpret them. This poses a challenge as threat actors can use URL redirection techniques to conceal the final destination of the link.
The quishing attack involved sending spearphishing emails to Sophos employees, disguised as legitimate messages originating from a networked office scanner. The PDF attachments contained QR codes that, when scanned, directed the targets to a phishing page designed to mimic a Microsoft365 login dialogue. The page was set up to capture login credentials and multi-factor authentication (MFA) responses using a technique known as Adversary-in-The-Middle (AiTM).
Despite internal controls preventing access to sensitive information, one employee fell victim to the attack, compromising their credentials and MFA token. The attacker attempted to use this information to gain access to an internal application but was ultimately thwarted.
The use of QR codes in phishing attacks poses a growing threat to organizations, with attackers constantly evolving their tactics to evade detection. As demonstrated by samples of quishing PDFs targeting specific employees, the volume and sophistication of attacks using this method are increasing.
To combat these threats, IT administrators are advised to implement various security measures. Suggestions include monitoring emails focused on HR or benefits, utilizing mobile security solutions like Intercept X for Mobile, implementing advanced email filtering, and enhancing employee awareness and reporting.
As phishing attacks become more sophisticated, a multi-layered approach combining technical solutions with employee vigilance is essential in mitigating the risks. By staying proactive and investing in robust security measures, organizations can better protect themselves against emerging threats like quishing. Sophos X-Ops continues to share indicators of compromise and research findings to aid in the fight against cyber threats.