Cofense has detected a significant phishing campaign using QR codes to target Microsoft credentials across various industries since May 2023. The campaign's most prominent victim was a major US energy company, with around 29% of the malicious emails containing QR codes directed at them. Other industries affected include manufacturing, insurance, technology, and financial services. While historically, QR codes have not been a popular choice due to their limitations, they offer advantages over direct phishing links embedded in emails.
Cofense's research highlighted that the campaign's growth rate exceeded 270% month-to-month, with a total increase of over 2,400% since May. The phishing emails impersonate Microsoft security notifications and encourage users to scan a QR code present in PNG or PDF attachments. Although QR codes provide a way for phishing emails to reach users' inboxes, their efficacy in tricking users into interacting with the malicious content is limited.
The campaign, despite targeting various industries, primarily focused on the energy sector, especially a major US-based energy company. The phishing emails typically contained PNG image attachments carrying Microsoft credential phishing links or phishing redirects via QR codes. These redirects often employed Bing URLs, Salesforce application URLs, and other domains like krxd[.]com and cf-ipfs[.]com.
Cofense's findings underscore the potential of QR codes as a novel attack vector, with malicious actors possibly testing their viability. To counter such attacks, relying solely on QR code scanners and image recognition may not be foolproof. Employee education and awareness play a crucial role in preventing QR code-based phishing, as well as avoiding interactions with QR codes in unsolicited emails.