QR codes are being exploited in rapid-fire phishing campaigns to harvest employee credentials, often via image-based emails that impersonate trusted brands. INKY reports hundreds of such QR code phishing emails across multiple industries, using tactics like Microsoft impersonation and internal-origin appearances to coerce actions like scanning codes and verifying accounts. #INKY #QRCodePhishing
Keypoints
- QR code usage for consumer activity surged, with the Americas leading in early 2022 and millions of scans recorded.
- INKY detected hundreds of QR code phishing emails featuring image-based content, brand impersonation, and attempts to impersonate internal organizational senders.
- Common patterns include requests to resolve account issues (2FA, verification, password changes) and threats of consequences if tasks aren’t completed.
- Campaigns used a “spray and pray” approach across diverse industries, affecting recipients in the U.S. and Australia.
- Phishing messages often carry no text, hiding the content in images to bypass Secure Email Gateways; OCR-based detection is used by defenders like INKY.
- Decoding the malicious QR code reveals a redirection chain to credential harvesting sites (rtsp1[.]com -> y7y[.]online) where fake credentials can be entered and captured.
MITRE Techniques
- [T1566] Phishing – The campaigns rely on email-based credential harvesting with image content and impersonation. ‘Use of image-based phishing tactic’
- [T1566.001] Phishing: Spearphishing Attachment – Image-based phishing content embedded in an email attachment to mislead recipients. ‘Use of image-based phishing tactic’
- [T1566.002] Phishing: Spearphishing Link – QR codes direct users to a credential-harvesting site via a redirected URL. ‘As part of the decoding, we changed the URL parameter to “[email protected]”… visited rtsp1[.][email protected]’
- [T1036] Masquerading – Brand impersonation to make an email appear to originate from Microsoft or the recipient’s employer. ‘Brand impersonation — uses elements of a well-known brand to make an email look as if it came from that company.’
- [T1056] Input Capture – The fake credential page accepted entered credentials during the phishing operation. ‘The Microsoft impersonation site accepted our fake credentials.’
- [T1027] Obfuscated/Compressed Files and Information – Text is embedded in images, allowing the message to bypass text-based defenses. ‘no text… text is embedded in an image.’
Indicators of Compromise
- [Domain] rtsp1[.]com – part of the redirection chain to a credential-harvesting site; used in the URL parameter.
- [Domain] y7y[.]online – hosting a Microsoft credential harvesting site after redirection.
- [Email] [email protected] – used as the URL parameter in the malicious QR code to prefill data.