Security experts are constantly monitoring the evolving tactics used by cybercriminals to target individuals and organizations. Recently, the Sophos X-Ops team conducted an investigation into phishing attacks that were aimed at several employees within the company, resulting in the compromise of sensitive information by one employee.
The attackers employed a technique known as quishing, which is a combination of QR code and phishing. QR codes are commonly used as a quick way to share URLs, but they can also be utilized by threat actors to deceive individuals into visiting malicious websites without being easily detected.
Unlike traditional phishing emails where recipients can inspect the URL before clicking, QR codes present a challenge as individuals often use their mobile phones to scan them. This poses a difficulty in scrutinizing the URL that briefly appears on the phone’s camera app. Moreover, threat actors may employ various URL redirection techniques to further obfuscate the final destination of the link.
The quishing attack involved sending employees a PDF document containing a QR code via email. The emails were carefully crafted to appear legitimate, with subject lines suggesting they originated from within the company. However, several inconsistencies and errors in the email messages raised suspicion, such as mismatched attachment filenames and unusual subject lines.
When the recipients scanned the QR code with their phones, they were directed to a phishing page designed to mimic a Microsoft365 login dialog. The page was controlled by the attacker and aimed to steal login credentials and multi-factor authentication (MFA) responses using an Adversary-in-The-Middle technique.
Although the attack successfully compromised an employee’s credentials and MFA token, internal controls prevented the attacker from accessing any sensitive information. This new method of bypassing MFA requirements highlights the need for enhanced security measures to combat evolving cyber threats.
The use of QR codes in phishing attacks is a growing concern, with attackers leveraging advanced techniques to make their campaigns more sophisticated. As seen in recent samples, quishing documents have become more refined, featuring personalized content and utilizing trusted brands like Docusign to deceive users.
To address these threats, IT administrators are advised to implement robust security measures, educate employees on identifying phishing attempts, and utilize tools like Intercept X for Mobile to protect against QR code-based attacks. Additionally, monitoring user activities, implementing conditional access policies, and enabling advanced email filtering can help mitigate the risks associated with such attacks.
Ultimately, fostering a culture of cybersecurity awareness and empowering employees to report suspicious activities are crucial in combating phishing incidents. By combining technical safeguards with human vigilance, organizations can better defend against evolving cyber threats and safeguard their sensitive information.