On this page:
Threat Detection
QR Code Phishing: Decoding Hidden Threats
October 4, 2023
Threat Detection
October 4, 2023
Learn how the Sublime Platform addresses the nuance behind QR code phishing attacks and what we’ve learned in defending against this emerging email threat.
From advanced malware attacks to sophisticated social engineering campaigns, threats are becoming more diverse, payloads are more dynamic, and multistage attacks are becoming more frequent. Among these, phishing remains a persistent challenge.
Traditionally, credential phishing payloads have been link-oriented, delivered in the familiar, clickable hyperlink format. But as technology and user behavior change, attackers adapt, finding innovative methods to deceive and exploit.
Once predominantly limited to suspicious email attachments and links, threats have now found a new camouflage: Quick Response (QR) codes.
A QR code is a two-dimensional barcode that can be read using smartphones or dedicated QR reading devices, quickly taking users to a website, payment portal, or other digital destinations.
With their increasing ubiquity in daily transactions and information sharing, QR codes are an appealing vehicle for cybercriminals to introduce malicious content, capitalizing on users' trust and familiarity. In turn, businesses began incorporating them into their operations to streamline processes. They're now commonly found in business emails for tasks like mobile identity verification, especially in multifactor (MFA) authentication requests.
As these threats evolve, so must our detection and defensive strategies. Let’s delve into these emerging challenges and their countermeasures.
QR codes that simplify tasks like cashless payments, logging into a service, or adding a MFA token have been rapidly integrated into our everyday lives. Their convenience, however, has not gone unnoticed by cyber criminals.
As their usage grows, so does their misuse. Malicious actors, exploiting the trust that many place in QR codes, are increasingly embedding them with harmful/malicious URLs. These deceptive links lead users to phishing sites, malware downloads and other digital hazards.
The true peril lies in the obfuscation achieved by the inherent nature of a QR code. Whereas a discerning individual might identify a suspicious domain within a traditional URL by hovering over it in their email client, QR codes mask this detail. As a result, the visual distinction typically engrained in users via phishing awareness training is lost.
The Sublime Platform goes beyond the initial detection of a QR code and reading the encoded data. It decodes and investigates the intent behind every QR code to analyze whether it leads to a phishing site or a malware delivery attempt.
There are two primary ways QR codes are delivered:
MQL, or Message Query Language, is Sublime's specialized query language designed for deep inspection and analysis of email message-related data. Given the increasing prevalence of QR codes in various communication mediums, MQL has been invaluable in identifying and inspecting these attacks.
To begin, let's understand how to identify QR codes within image attachments using MQL:
type.inbound: Targets only inbound messages. Optionally, we could analyze internal, or outbound traffic as wellany(attachments,.file_type in $file_types_images): Iterates through each attachment file_type against a list of predefined image types ($file_types_images)any(file.explode(.), .scan.qr.type == "url"): If an image file is found, check if the QR code scanner determined its content type as “URL”We've crafted a concise mechanism to inspect inbound messages with image attachments to identify any QR codes that may contain URLs. Now what?
After the initial identification, the real power of MQL is decoding the content of these QR codes and performing deeper inspection on what's behind the URL. Without this or other additional signals, we're likely to miss certain attacks. So let’s add some additional logic:
Let’s take a closer look at each new component added.
any([beta.linkanalysis(.scan.qr.url)], .credphish.disposition == "phishing"): Our first move post-identification is a deeper dive into the decoded URL of the QR code using Link Analysis, which leverages computer vision and other Machine Learning techniques to make a determination of “phishing”.any(.redirect_history, .domain.tld in $suspicious_tlds): URLs often redirect multiple times before landing on the final page. By tracking this redirect history and cross-referencing it with a list of suspicious top-level domains ($suspicious_tlds), we can identify routes that traverse dubious online territories..effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters: It's not just about where the URL takes you, but also where it finally rests. By checking the effective destination against trusted reporters in the URLhaus database, we're ensuring we’re not being led to a known malicious domain.any(.files_downloaded, .file_extension in $file_extensions_common_archives or .file_extension in $file_extensions_executables): We're also alert to what the QR code-triggered URL might attempt to download. A focus on commonly abused archive types and executable files gives us a safety net against potential malware downloads.Building upon our initial exploration, let's delve into a full-fledged Sublime Detection Rule that encapsulates the techniques we've discussed:
As you can see, we've added several layers of criteria to ensure that we're not just looking at QR codes, but also understanding the environment and context in which they operate. Some of the additional features include:
In the above rule, we inspected image attachments for QR codes. But what if the QR code is embedded in the body of a message? Let's take a look at another Sublime Feed Rule, specifically:
In this MQL block, we're checking to see if there are no attachments, invoking our file.explode functionality against our message_screenshot enrichment. This allows us to scan a screenshot of the message within our platform, including the QR code scanner.
MQL is really powerful. It's not just about identifying threats, but understanding them in their entirety, preparing for their nuances, and staying a step ahead.
We recently observed an uptick in Microsoft-branded attacks where impersonation is the primary driver of the social engineering tactic. These have succeeded because the real Microsoft Teams emails look remarkably similar.
In this real-world scenario, let’s review how this Sublime Detection Rule would detect the attack.
Similar to the previous example, we first check for the presence of a QR code, but then leverage Computer Vision (Logo Detection) to identify the Microsoft logo in the body of the message or attachment. You can see how our Deep learning / object detection model works in our previous post, Deep Learning to Detect Credential Phishing.
We've open-sourced several rules to detect and prevent QR code attacks behaviorally. Here are a few you can try with a free Sublime instance:
Beyond attack prevention, the best defense against QR code attacks is defense in depth. Since most of the attacks we've observed aim to steal user credentials, hardware MFA (like a Yubikey) would be an effective countermeasure.
QR codes are not the first nor last attack medium, so detection strategies must continuously evolve. By leveraging the best of machine learning techniques with adaptable detection-as-code, we're able to quickly and effectively prevent these elusive attacks and what may come next.
Deploy a free Managed or Self-Managed instance of Sublime today to prevent these attacks. No MX changes required.
Sublime releases, detections, blogs, events, and more directly to your inbox.
The latest research, attack spotlights, and product updates.
Experience Sublime’s adaptable email security platform and take control of your email environment today.
