From advanced malware attacks to sophisticated social engineering campaigns, threats are becoming more diverse, payloads are more dynamic, and multistage attacks are becoming more frequent. Among these, phishing remains a persistent challenge.
Traditionally, credential phishing payloads have been link-oriented, delivered in the familiar, clickable hyperlink format. But as technology and user behavior change, attackers adapt, finding innovative methods to deceive and exploit.
Once predominantly limited to suspicious email attachments and links, threats have now found a new camouflage: Quick Response (QR) codes.
A QR code is a two-dimensional barcode that can be read using smartphones or dedicated QR reading devices, quickly taking users to a website, payment portal, or other digital destinations.
With their increasing ubiquity in daily transactions and information sharing, QR codes are an appealing vehicle for cybercriminals to introduce malicious content, capitalizing on users' trust and familiarity. In turn, businesses began incorporating them into their operations to streamline processes. They're now commonly found in business emails for tasks like mobile identity verification, especially in multifactor (MFA) authentication requests.
As these threats evolve, so must our detection and defensive strategies. Let’s delve into these emerging challenges and their countermeasures.
Converging Threats: QR Codes and Credential Phishing
QR codes that simplify tasks like cashless payments, logging into a service, or adding a MFA token have been rapidly integrated into our everyday lives. Their convenience, however, has not gone unnoticed by cyber criminals.
As their usage grows, so does their misuse. Malicious actors, exploiting the trust that many place in QR codes, are increasingly embedding them with harmful/malicious URLs. These deceptive links lead users to phishing sites, malware downloads and other digital hazards.
The true peril lies in the obfuscation achieved by the inherent nature of a QR code. Whereas a discerning individual might identify a suspicious domain within a traditional URL by hovering over it in their email client, QR codes mask this detail. As a result, the visual distinction typically engrained in users via phishing awareness training is lost.
QR Code Analysis and Phishing Detection: How It Works
The Sublime Platform goes beyond the initial detection of a QR code and reading the encoded data. It decodes and investigates the intent behind every QR code to analyze whether it leads to a phishing site or a malware delivery attempt.
There are two primary ways QR codes are delivered:
1. Embedded in attachments: Whenever an attachment is received, our QR code scanner decodes and interprets the data embedded within the QR code, and then further analyzes the URL for malicious content.
2. Embedded in message bodies: For QR codes present within the body of the message, we first capture a screenshot of the message, then run the image through the same detection pipeline above.
Using MQL to Leverage QR Code Functionality
MQL, or Message Query Language, is Sublime's specialized query language designed for deep inspection and analysis of email message-related data. Given the increasing prevalence of QR codes in various communication mediums, MQL has been invaluable in identifying and inspecting these attacks.
Identify QR Codes in Image Attachments
To begin, let's understand how to identify QR codes within image attachments using MQL:
- type.inbound: Targets only inbound messages. Optionally, we could analyze internal, or outbound traffic as well
- any(attachments,.file_type in $file_types_images): Iterates through each attachment file_type against a list of predefined image types ($file_types_images)
- any(file.explode(.), .scan.qr.type == "url"): If an image file is found, check if the QR code scanner determined its content type as “URL”
We've crafted a concise mechanism to inspect inbound messages with image attachments to identify any QR codes that may contain URLs. Now what?
Digging Deeper with MQL
After the initial identification, the real power of MQL is decoding the content of these QR codes and performing deeper inspection on what's behind the URL. Without this or other additional signals, we're likely to miss certain attacks. So let’s add some additional logic:
Let’s take a closer look at each new component added.
- any([beta.linkanalysis(.scan.qr.url)], .credphish.disposition == "phishing"): Our first move post-identification is a deeper dive into the decoded URL of the QR code using Link Analysis, which leverages computer vision and other Machine Learning techniques to make a determination of “phishing”.
- any(.redirect_history, .domain.tld in $suspicious_tlds): URLs often redirect multiple times before landing on the final page. By tracking this redirect history and cross-referencing it with a list of suspicious top-level domains ($suspicious_tlds), we can identify routes that traverse dubious online territories.
- .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters: It's not just about where the URL takes you, but also where it finally rests. By checking the effective destination against trusted reporters in the URLhaus database, we're ensuring we’re not being led to a known malicious domain.
- any(.files_downloaded, .file_extension in $file_extensions_common_archives or .file_extension in $file_extensions_executables): We're also alert to what the QR code-triggered URL might attempt to download. A focus on commonly abused archive types and executable files gives us a safety net against potential malware downloads.
Putting It All Together
Building upon our initial exploration, let's delve into a full-fledged Sublime Detection Rule that encapsulates the techniques we've discussed:
As you can see, we've added several layers of criteria to ensure that we're not just looking at QR codes, but also understanding the environment and context in which they operate. Some of the additional features include:
- Message Assessment: Inbound messages and specifically focus on those with 1 to 3 attachments, ensuring we’re not overwhelmed by bulk data.
- URL Shorteners: Attackers often employ URL shorteners to obfuscate the true destination. We check the root domain of the QR code URL to identify any common URL shorteners.
- Open Redirects: QR codes that use known open redirects, like the ones from 'bing.com' or 'usap-dc.org', are flagged. Open redirects are a popular method employed by attackers to redirect a victim from a trusted domain to a malicious site.
Leveraging MessageScreenshot for Embedded QR
In the above rule, we inspected image attachments for QR codes. But what if the QR code is embedded in the body of a message? Let's take a look at another Sublime Feed Rule, specifically:
In this MQL block, we're checking to see if there are no attachments, invoking our file.explode functionality against our message_screenshot enrichment. This allows us to scan a screenshot of the message within our platform, including the QR code scanner.
MQL is really powerful. It's not just about identifying threats, but understanding them in their entirety, preparing for their nuances, and staying a step ahead.
Microsoft Image-based Lures
We recently observed an uptick in Microsoft-branded attacks where impersonation is the primary driver of the social engineering tactic. These have succeeded because the real Microsoft Teams emails look remarkably similar.
In this real-world scenario, let’s review how this Sublime Detection Rule would detect the attack.
Similar to the previous example, we first check for the presence of a QR code, but then leverage Computer Vision (Logo Detection) to identify the Microsoft logo in the body of the message or attachment. You can see how our Deep learning / object detection model works in our previous post, Deep Learning to Detect Credential Phishing.
Sublime Detection Rules and Other Mitigation Strategies
We've open-sourced several rules to detect and prevent QR code attacks behaviorally. Here are a few you can try with a free Sublime instance:
- Brand impersonation: Microsoft (QR Code)
- Link: QR Code with suspicious language (first-time sender)
- Attachment: QR code with credential phishing indicators
- QR Code with suspicious indicators
Beyond attack prevention, the best defense against QR code attacks is defense in depth. Since most of the attacks we've observed aim to steal user credentials, hardware MFA (like a Yubikey) would be an effective countermeasure.
Beyond QR Code Phishing
QR codes are not the first nor last attack medium, so detection strategies must continuously evolve. By leveraging the best of machine learning techniques with adaptable detection-as-code, we're able to quickly and effectively prevent these elusive attacks and what may come next.
Deploy a free Managed or Self-Managed instance of Sublime today to prevent these attacks. No MX changes required.
