QR Code Phishing Campaign Targets Top US Energy Company

Attackers sent more than 1,000 emails with 2FA, MFA, and other security-related lures aimed at stealing Microsoft credentials.

Image shows a dark skinned woman at a computer clicking on a  computer keyboard with a mail icon and a warning on the screen
Source: Rawpixel.com at Shutterstock

Attackers targeted a major US energy company with a phishing campaign that overall sent more than 1,000 emails armed with malicious QR codes aimed at stealing Microsoft credentials.

The campaign, discovered by Cofense in May, used both PNG image attachments and redirect links associated with Microsoft Bing and well-known business applications — including Salesforce and CloudFlare's Web3 services — with embedded QR codes, the researchers revealed in a post published today.

The messages used lures aimed at fostering a sense of urgency, spoofing Microsoft security alerts and claiming that recipients were required to update their account's security settings associated with two-factor authentication (2FA) and multi-factor authentication (MFA), among others. The images and links included within the messages ultimately sent victims to a Microsoft credential phishing page.

While the campaign affected multiple industries, a top US energy company received the lion's share of the phishing emails, with employees there on the receiving end of more than 29% of the 1,000-plus emails containing malicious QR codes. The other top four targeted industries included manufacturing, receiving 15% of the phishing messages; insurance (9%), technology (7%), and financial services (6%). Cofense did not reveal the name of the energy firm.

Moreover, the campaign, which is ongoing, is spreading quickly. The volume of the campaign has increased by more than 2,400% since May, with average month-to-month growth percentage at more than 270%, according to Cofense.

"The campaign represents what might have been a testing for efficacy phase in mid/late-June," explains Nathaniel Raymond, cyber threat intelligence analyst at Cofense and the report writer. "Then, Cofense observed a considerable increase in QR codes being used for credential phishing for a brief time."

By mid-July, however, the researchers observed a steady upward trend in QR code usage that extended into August, he adds.

Rare but Successful

Attackers often don't use QR codes in phishing emails, mainly because they require an extra step in terms of engaging with a victim to fall for a lure, and thus could hinder the chance of success.

"QR codes are uncommon to see, especially in larger phishing campaigns, as they are limited to delivering credential phishing via a device with scanning capabilities such as a mobile device," Raymond says.

Still, they have several advantages over merely sending a phishing link or malicious file embedded directly in an email, he says. That's because QR code delivery methods have a much better chance of reaching an inbox.

"This campaign makes use of a PDF or image file attachment with the QR code embedded into it," Raymond says. "This makes it easier for the emails to bypass Secure Email Gateways (SEGs). Because SEGs are typically not able to scan QR codes but they are capable of scanning links, QR codes have an immediate advantage over normal credential phishing campaigns."

The bulk of the campaign's phishing emails contain PNG image attachments delivering Microsoft credential phishing links or phishing redirects via an embedded QR code with the majority of them being Bing redirect URLs, the researchers found. While Bing is a legitimate domain owned by Microsoft — and these URLs were originally meant for marketing purposes — they can also be used for malicious purposes.

Don't Scan That QR Code

Training employees to spot advanced phishing techniques as they evolve can help in preventing those targeted from getting scammed.

"When it comes to QR codes and how uncommon they are in day-to-day email operations, a trained employee would be immediately suspicious," Raymond says. "As such, it is imperative to have regular employee training implemented."

Indeed, the easiest way to avoid being compromised by a phishing campaign that uses QR codes is not to scan any unknown codes from unfamiliar users found in emails that appear in a person's corporate account.

"In terms of overall advice, this is simply an extension of 'don't click links you don't trust,'" Raymond says. "Don't follow links, especially from scanned QR codes, unless you trust them."

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights