Creating a sense of urgency and often mixing in a little fear is right at the top of the playbook for email threat actors. One of the countless social engineering tactics we have observed repeatedly over the years do just that using threatening court orders as an attention grabber. Some of these attacks have been quite detailed at times even including some personal information, while others have taken a more sparse approach. indicative of a spray and pray attack. A recent example originated from a compromised email account, not a legitimate court of course. The payload of this attack was an attached PDF file which promised the details of the alleged court order.
If you open the pdf file, you will see a message urging you to scan the QR code with your phone. This technique effectively moves the attack away from most of the security defenses provided by your organization by switching you over to your mobile device.
Upon scanning the embedded QR code you will be redirected to the fake Microsoft 365 OWA login page. The attacker will initially try to steal your active session cookies via proxying the connection, if already logged in. If not logged in with an active session, you will be prompted for your password. If you do not have a 365 account, it asked you to provide another address or create one. These fake 365 OWA sites are currently the most popular phishing portal used in email-borne phishing attacks today.
You should always be extremely cautious when receiving QR codes as they are often used by threat actors attempting to obfuscate their malicious intent. Additionally, it would be extremely rare for a court to send a court order via unsolicited email so this should be a huge red flag.
