Forum Discussion
Is it possible to block emails containing QR CODE?
Microsoft urgently needs to add QR code detection into EXOP. The QR codes bypass essentially all existing protections. KQL queries like the one in this thread are no longer effective, as they rely on specific filename patterns and attackers have already adapted. EXOP should be able to detect QR codes and handle the URLs just like it handles any other links. There should also be an option to block all QR codes. Or perhaps replace QR code images with a SafeLinks HTML link.
This threat is not going away, and the current tools are not able to adequately mitigate it.
- ExMSW4319Nov 17, 2023Iron ContributorWhilst we might like a SafeLinks facility that translates a QR code into a URL that is subject to the usual URL detonation tests (or even better, a header that we can hold our own council on) we will quite happily settle for a header that says "X-QR-code detected: true".
And when detecting that code, please don't assume black-on-white or some other two-tone color pairs; I already have psychedelic ripple-contrast codes dancing through my head; if the camera can read it, attackers will use it. I must have seen too many of the damnable things already.- OzoVeiNov 17, 2023Copper Contributor
ExMSW4319Agreed - at a basic level we need to know if a message contains a QR code or not. Detecting URLs, safelinks translation, etc would be nice to have. Detecting if a QR code exists or not is essential.
Fancy look codes gets much more crazy than just psychedelic colors - look up what people are doing with stable diffusion and QR codes. The good thing is, the whole point of QR codes is to be easily detectable. So, standard detection algorithms should do a pretty good job and keep compute resource requirements relatively low.