How Microsoft Defender for Workplace 365 innovated to handle QR code phishing assaults

During the last 12 months, the cybersecurity trade confronted a major surge in QR code phishing campaigns, with some assaults rising at a progress charge of 270% per thirty days.1 A QR code (brief for “Fast Response code”) is a two-dimensional barcode that may be scanned utilizing a smartphone or different cellular gadget geared up with a digicam. The codes can comprise info like web site URLs, contact info, product particulars, and extra. They’re most frequently used for taking customers to web sites, information, or functions. However when unhealthy actors exploit them, they can be utilized to mislead customers into unwittingly compromising their credentials and knowledge.

Distinctive traits of QR code phishing campaigns

Like with different phishing strategies, the aim of QR code phishing assaults is to get the person to click on on a malicious hyperlink that appears reputable. They typically use minimalistic emails to ship malicious QR codes that immediate seemingly reputable actions—like password resets or two-factor authentication verifications. A QR code may also be simply manipulated to redirect unsuspecting victims to malicious web sites or to obtain malware in precisely the identical manner as URLs.

QR code as an image within email body redirecting to a malicious website.

Determine 1. QR code as a picture inside e-mail physique redirecting to a malicious web site.

The conventional warning indicators customers may discover on bigger screens can typically go unnoticed on cellular units. Whereas the ways, strategies, and procedures (TTPs) fluctuate relying on which unhealthy actor is at work, Microsoft Defender for Workplace 365 has detected a key set of patterns in QR code phishing assaults, together with however not restricted to:

  • URL redirection, the place a click on or faucet takes you not the place you anticipated, however to a forwarded URL.
  • Minimal to no textual content, which reduces the alerts obtainable for evaluation and machine studying detection.
  • Exploiting a identified or trusted model, utilizing their familiarity and popularity to extend chance of interplay.
  • Exploiting identified e-mail channels that trusted, reputable senders use.
  • A wide range of social lures, together with multifactor authentication, doc signing, and extra.
  • Embedding QR codes in attachments.

The influence of QR code phishing campaigns on the broader e-mail safety trade

With the commonest intent of QR code phishing being credential theft, malware distribution, or monetary theft, QR code campaigns are sometimes huge—exceeding 1,000 customers and comply with focused info gathering reconnaissance by unhealthy actors.2

Microsoft safety researchers first began noticing a rise in QR-code primarily based assaults in September 2023. We noticed attackers shortly morphing their strategies in two keys methods: First by manipulating the best way that the QR code rendered (equivalent to totally different colours and tables), and second by manipulating the embedded URL to do redirection.

The dynamic nature of QR codes made it difficult for conventional e-mail safety mechanisms that have been designed for link-based phishing strategies to successfully filter and shield in opposition to some of these cyberattacks. A key cause was the truth that intensive picture content material evaluation was not generally accomplished for each picture in each message, and didn’t symbolize a typical within the trade on the time of the surge.

In consequence, for a number of months our prospects noticed a rise in unhealthy e-mail that contained malicious QR codes as we have been adapting and evolving our expertise to be efficient in opposition to QR codes. This was a difficult time for our prospects and people of different e-mail safety distributors. We added incremental assets and redirected all our engineering vitality to handle these points, and alongside the best way not solely delivered new technological improvements but additionally modified our processes and modernized elements of our pipeline to be extra resilient sooner or later. Now these challenges have been addressed by means of a key set of improvements, and we need to share our learnings and expertise developments shifting ahead.

For unhealthy actors, QR code phishing has turn into a profitable enterprise, and attackers are using AI and enormous language fashions (LLMs) like ChatGPT to extend the pace and enhance the believability of their assaults. Current analysis by Insikt Group famous that unhealthy actors can generate 1,000 phishing emails in beneath two hours for as little as $10.3 For the safety trade, this necessitates a multifaceted response together with improved worker coaching and a renewed dedication to innovation.

The need of innovation in QR code phishing protection

Innovation within the face of evolving QR code phishing threat is not only helpful, it’s crucial. As cybercriminals frequently refine their ways to take advantage of new applied sciences, safety options should evolve at the same tempo to stay efficient. In response to the rising risk of QR code phishing, Microsoft Defender for Workplace 365 took decisive motion to leverage superior machine studying and AI—creating strong defenses able to detecting and neutralizing QR code phishing assaults in actual time. Our group meticulously analyzed these cyberthreats throughout trillions of alerts, gaining worthwhile insights into their mechanisms and evolving patterns. This data helped us refine our safety protocols and improve our platform’s resilience with a number of strategic updates. As the most important e-mail safety supplier, we now have seen a major decline in QR code phishing makes an attempt. On the peak, Defender for Workplace 365 was blocking 3 million makes an attempt day by day, and with the supply of modern safety we now have seen this quantity shrink to 200,000 QR code phishing makes an attempt every single day. That is testomony that our innovation is having the specified impact: lowering the effectiveness of QR code-based assaults and forcing attackers to shift their ways.

QR code phishing blocked by Microsoft Defender for Office 365.

Determine 2. QR code phishing blocked by Microsoft Defender for Workplace 365.

Current improvements and protections we’ve applied and improved inside Microsoft Defender for Workplace 365 to assist fight QR code phishing embody:

  • URL extraction enhancements: Microsoft Defender for Workplace 365 has improved its capabilities to extract URLs from QR codes, considerably boosting the system’s skill to detect and counteract phishing hyperlinks hidden inside QR photos. This enhancement permits a extra thorough evaluation of potential cyberthreats embedded in QR codes. As well as, we now extract metadata from QR codes, which enriches the contextual knowledge obtainable throughout risk assessments, enhancing our skill to detect suspicious actions early within the assault chain.
  • Superior picture processing: Superior picture processing strategies on the preliminary stage of the mail movement course of permit us to extract and log URLs hidden inside QR codes. This proactive measure disrupts assaults earlier than they’ve an opportunity to compromise finish person inboxes, addressing cyberthreats on the earliest potential level.
  • Superior looking and remediation: To supply a complete response to QR code threats throughout e-mail, endpoint, and identities with our superior looking capabilities, safety groups throughout organizations are nicely geared up to particularly establish and filter out malicious actions linked to those codes.
  • Person resilience in opposition to QR code phishing: To additional equip our group in opposition to these rising threats, Microsoft Defender for Workplace 365 has expanded its superior capabilities to incorporate QR code threats, sustaining alignment with e-mail platforms and particular cyberattack strategies. Our assault simulation coaching methods together with commonplace setup of person choice, payload configuration, and scheduling, now have specialised payloads for QR code phishing to simulate genuine assault situations.

Learn extra technical particulars on the right way to hunt and reply to QR code-based assaults. By integrating all these capabilities throughout the Microsoft Defender XDR platform, we may help guarantee any QR code-related threats recognized in emails are totally analyzed along with endpoint and identification knowledge, creating a sturdy safety posture that addresses threats on a number of fronts.

Staying forward of the evolving risk panorama 

The enhancements of Microsoft Defender for Workplace 365 to defend in opposition to QR code-based phishing assaults showcased our have to advance Microsoft’s e-mail and collaboration safety quicker. The rollout of the above has closed this hole and made Defender for Workplace 365 efficient in opposition to these assaults, and as the usage of QR codes expands, our defensive ways will now equally superior to fight them.

Our steady funding in analyzing the cyberthreat panorama, studying from previous gaps, and our up to date infrastructure will allow us to successfully deal with current points and proactively handle future dangers quicker as threats emerge throughout e-mail and collaboration instruments. We’ll quickly be sharing extra thrilling innovation that can showcase our dedication to delivering the perfect e-mail and collaboration safety resolution to prospects.

For extra info, view the information sheet on defending in opposition to QR code phishing or go to the web site to be taught extra about Microsoft Defender for Workplace 365.

Study extra

To be taught extra about Microsoft Safety options, go to our web site. Bookmark the Safety weblog to maintain up with our knowledgeable protection on safety issues. Additionally, comply with us on LinkedIn (Microsoft Safety) and X (@MSFTSecurity) for the most recent information and updates on cybersecurity.


1Attackers Weaponizing QR Codes to Steal Workers Microsoft Credentials, Cybersecurity Information. August 22, 2023.

2Attempting to find QR Code AiTM Phishing and Person Compromise, Microsoft Tech Group. February 12, 2024.

3Safety Challenges Rise as QR Code and AI-Generated Phishing Proliferate, Recorded Future. July 18, 2024.