QR Code Phishing Campaign Targets Top US Energy Company

Attackers sent more than 1,000 emails with 2FA, MFA, and other security-related lures aimed at stealing Microsoft credentials.

Attackers targeted a major US energy company with a phishing campaign that overall sent more than 1,000 emails armed with malicious QR codes aimed at stealing Microsoft credentials.

The campaign, discovered by Cofense in May, used both PNG image attachments and redirect links associated with Microsoft Bing and well-known business applications — including Salesforce and CloudFlare's Web3 services — with embedded QR codes, the researchers revealed in a post published today.

The messages used lures aimed at fostering a sense of urgency, spoofing Microsoft security alerts and claiming that recipients were required to update their account's security settings associated with two-factor authentication (2FA) and multi-factor authentication (MFA), among others. The images and links included within the messages ultimately sent victims to a Microsoft credential phishing page.

While the campaign affected multiple industries, a top US energy company received the lion's share of the phishing emails, with employees there on the receiving end of more than 29% of the 1,000-plus emails containing malicious QR codes. The other top four targeted industries included manufacturing, receiving 15% of the phishing messages; insurance (9%), technology (7%), and financial services (6%). Cofense did not reveal the name of the energy firm.

Moreover, the campaign, which is ongoing, is spreading quickly. The volume of the campaign has increased by more than 2,400% since May, with average month-to-month growth percentage at more than 270%, according to Cofense.

"The campaign represents what might have been a testing for efficacy phase in mid/late-June," explains Nathaniel Raymond, cyber threat intelligence analyst at Cofense and the report writer. "Then, Cofense observed a considerable increase in QR codes being used for credential phishing for a brief time."

By mid-July, however, the researchers observed a steady upward trend in QR code usage that extended into August, he adds.

Rare but Successful

Attackers often don't use QR codes in phishing emails, mainly because they require an extra step in terms of engaging with a victim to fall for a lure, and thus could hinder the chance of success.

"QR codes are uncommon to see, especially in larger phishing campaigns, as they are limited to delivering credential phishing via a device with scanning capabilities such as a mobile device," Raymond says.

Still, they have several advantages over merely sending a phishing link or malicious file embedded directly in an email, he says. That's because QR code delivery methods have a much better chance of reaching an inbox.

"This campaign makes use of a PDF or image file attachment with the QR code embedded into it," Raymond says. "This makes it easier for the emails to bypass Secure Email Gateways (SEGs). Because SEGs are typically not able to scan QR codes but they are capable of scanning links, QR codes have an immediate advantage over normal credential phishing campaigns."

The bulk of the campaign's phishing emails contain PNG image attachments delivering Microsoft credential phishing links or phishing redirects via an embedded QR code with the majority of them being Bing redirect URLs, the researchers found. While Bing is a legitimate domain owned by Microsoft — and these URLs were originally meant for marketing purposes — they can also be used for malicious purposes.

Don't Scan That QR Code

Training employees to spot advanced phishing techniques as they evolve can help in preventing those targeted from getting scammed.

"When it comes to QR codes and how uncommon they are in day-to-day email operations, a trained employee would be immediately suspicious," Raymond says. "As such, it is imperative to have regular employee training implemented."

Indeed, the easiest way to avoid being compromised by a phishing campaign that uses QR codes is not to scan any unknown codes from unfamiliar users found in emails that appear in a person's corporate account.

"In terms of overall advice, this is simply an extension of 'don't click links you don't trust,'" Raymond says. "Don't follow links, especially from scanned QR codes, unless you trust them."