Forum Discussion

lucanz73's avatar
lucanz73
Copper Contributor
Sep 28, 2023

Is it possible to block emails containing QR CODE?

Is it possible to block emails containing QR CODE?
KarstenV59's avatar
KarstenV59
Brass Contributor
Oct 13, 2023
It must be possible to create a feature in the Microsoft Defender that via AI scannes the images imbedded in the incomming mails and actually follows the QR code with the malicious link in a sort of Sandbox, before it reaches the inbox?
elieelkarkafi's avatar
elieelkarkafi
MVP
Oct 13, 2023

KarstenV59 

  • Consider using config analyzer and preset security policies to ensure you always have the latest and greatest protection settings on for your organization.
  • You should configure your mobile device policies to use Network Protection and Smart Screen supported browsers (such as Microsoft Edge) to extend protection to your mobile devices against the malicious URLs embedded in the QR Codes.
  • We strongly recommend using multi-factor authentication and conditional access to help secure organizational accounts from credential theft.
  • KarstenV59's avatar
    KarstenV59
    Brass Contributor
    Oct 13, 2023
    Thank you for the reply, and yes we have all that in place, but still the "Quishing" mails are in some cases go through as they are designet with the intend to bypass those features/policies, as i tryed to mention, the mails are designed with an image imbedded in the body, that image is then a pigture of a QR code, this is just one way they can avoid detection by antiphishing, and i do not see any resolutions from MS side remidiate this.
    • lynksam's avatar
      lynksam
      Copper Contributor
      Oct 13, 2023

      KarstenV59 lucanz73 

      You can create a custom detection rule on Microsoft Defender to act on possible Quishing emails, setup actions to delete the mails or move them to junk (preferable cos of possible false positives)

       

      let image_extensions = dynamic(["jpg", "jpeg", "png", "bmp", "gif"]);

 EmailAttachmentInfo  

 | where Timestamp > ago(1h) 
 | where FileType in (image_extensions)
 | where FileName matches regex "^[A-Z0-9]{9,10}\\.[A-Za-z0-9]+$" 
 | where SenderFromAddress !contains "Org domain" //Exclude your corporate domain 
 | where RecipientObjectId != "" 
 | join EmailEvents on NetworkMessageId  
 | where not (EmailDirection has_any ("Intra-org", "Outbound")) 
 | where DeliveryAction != "Blocked" 
 | where DeliveryAction != "Junked" 
 | where not(LatestDeliveryLocation has_any ("Quarantine", "Delete"))

       

      • rhotrix's avatar
        rhotrix
        Copper Contributor
        Nov 08, 2023
        Hi, I've tried to implement this but I keep having an error in the first ' | ' before the " where Timestamp", this error "the incomplete fragment is unexpected(KS198)"

Resources