Forum Discussion
Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes
Even though we are MS 365 defender customers for all our users (EMS + E3) we are receiving an increasing number of phishing attempts based on good looking MFA connection requests. Furthermore these ...
MGessner
Whilst I do not have an answer to pro-actively get these blocked, I have analyzed the IoAs and come up with a current method to try and detect these and get them actioned once they come through.
See below for my KQL query:
let Exclude = dynamic(['email address removed for privacy reasons','email address removed for privacy reasons','email address removed for privacy reasons']);
let images = dynamic(['png','jpeg','bmp','jpg']);
EmailAttachmentInfo
| where ingestion_time() > ago(7d)
| where SenderFromAddress !in (Exclude)
| where FileName contains_cs "QR" and FileType in (images)
| join kind=inner ( EmailEvents | where AttachmentCount >= 3 and EmailDirection == "Inbound") on $left.NetworkMessageId == $right.NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, ReportId
The logic of this is based on my observation that the emails I've seen reported contain 3 attachments that are images, and the QR code image contains the text string "QR" and they are always an image format. They also contain at least 3 attachments as each image is there to replace text (presumably to evade analysis in a sandbox)
So far it's giving me a good success rate but it's not a silver bullet, so some forward tuning would be required to suit each environment.
Set this up as a custom alert to run on a schedule and configure the 'ingestion_time() > ago(7d)' to suit the frequency and avoid duplication of detections.
Hope it helps!