The use of QR codes has been one of the many methods threat actors have deployed recently in an effort to circumvent security controls. QR codes have become so common place, like being used for paperless menus at restaurants, that everyone has grown quite accustomed to reaching for their mobile device at the first sight of one. Attackers are aware of this and by utilizing QR codes in email, attackers hope to avoid business security solutions and switch targets from protected environments to their own personal devices, where security controls may be lacking.

This example acted as a Microsoft MFA one time passcode authentication/expiration message that the recipient would need to scan to keep their current password, however, most legitimate services would never offer a user to keep their current password if it was indeed expiring. Upon decoding the QR code, we see that it points to a customized subdomain on web .]corec.]windowsd.]net, Microsoft Azure’s blob storage site.

If a user proceeds, they are redirected thru a Cloudflare check and live user (captcha style) verification. The portal also tries to automatically use oauth to proxy a connection between the victim and Microsoft for token theft if there is an active session token. If no session is active, it prompts the user to sign in with their credentials to proceed collecting credentials. Using azure to bind session tokens to a user’s own specific device/s or implementing hardware authentication  are best practices to help prevent these session attacks which can bypass MFA.

Later, attackers added several upgrades to their attacks by incorporating the target user name and company logo into the body of the message and instead leveraged a bingg.]com redirect in the URL. We continue to monitor these closely as the attackers continue to further customize these attacks.