Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Is it possible to block emails containing QR CODE?

Copper Contributor

Is it possible to block emails containing QR CODE?

24 Replies

@lucanz73 Emails containing QRcodes are phishing emails. means you need to configure the anti-phishing policy in MDO and those emails will automatically be detected as anti-phishing and you can decide whether to reject them or quarantine them.

A typical QR code attack consists of personalised images of QR codes each with unique hashes. How is reporting that going to help, other than identifying the source? There isn't a policy or MFR that will react to the general presence of a QR code, is there?

Wait! I know - we can block www.bing.com/ck/a? [one of our most common QR referrals] - that won't cause any problems, will it?

Tip: do check how active www.bing.com/ck/a? is on your inflow before acting on this post.
It must be possible to create a feature in the Microsoft Defender that via AI scannes the images imbedded in the incomming mails and actually follows the QR code with the malicious link in a sort of Sandbox, before it reaches the inbox?

@KarstenV59 

  • Consider using config analyzer and preset security policies to ensure you always have the latest and greatest protection settings on for your organization.
  • You should configure your mobile device policies to use Network Protection and Smart Screen supported browsers (such as Microsoft Edge) to extend protection to your mobile devices against the malicious URLs embedded in the QR Codes.
  • We strongly recommend using multi-factor authentication and conditional access to help secure organizational accounts from credential theft.
Thank you for the reply, and yes we have all that in place, but still the "Quishing" mails are in some cases go through as they are designet with the intend to bypass those features/policies, as i tryed to mention, the mails are designed with an image imbedded in the body, that image is then a pigture of a QR code, this is just one way they can avoid detection by antiphishing, and i do not see any resolutions from MS side remidiate this.

@KarstenV59 @lucanz73 

You can create a custom detection rule on Microsoft Defender to act on possible Quishing emails, setup actions to delete the mails or move them to junk (preferable cos of possible false positives)

 

let image_extensions = dynamic(["jpg", "jpeg", "png", "bmp", "gif"]);

 EmailAttachmentInfo  

 | where Timestamp > ago(1h) 
 | where FileType in (image_extensions)
 | where FileName matches regex "^[A-Z0-9]{9,10}\\.[A-Za-z0-9]+$" 
 | where SenderFromAddress !contains "Org domain" //Exclude your corporate domain 
 | where RecipientObjectId != "" 
 | join EmailEvents on NetworkMessageId  
 | where not (EmailDirection has_any ("Intra-org", "Outbound")) 
 | where DeliveryAction != "Blocked" 
 | where DeliveryAction != "Junked" 
 | where not(LatestDeliveryLocation has_any ("Quarantine", "Delete"))

 

 

Other email security vendors are already doing this.
Yes and that is why i describe the situation as i have seen this being handled by other vendors already as you say.
Hi, I've tried to implement this but I keep having an error in the first ' | ' before the " where Timestamp", this error "the incomplete fragment is unexpected(KS198)"

Microsoft urgently needs to add QR code detection into EXOP. The QR codes bypass essentially all existing protections. KQL queries like the one in this thread are no longer effective, as they rely on specific filename patterns and attackers have already adapted. EXOP should be able to detect QR codes and handle the URLs just like it handles any other links. There should also be an option to block all QR codes. Or perhaps replace QR code images with a SafeLinks HTML link.

 

This threat is not going away, and the current tools are not able to adequately mitigate it.

Whilst we might like a SafeLinks facility that translates a QR code into a URL that is subject to the usual URL detonation tests (or even better, a header that we can hold our own council on) we will quite happily settle for a header that says "X-QR-code detected: true".

And when detecting that code, please don't assume black-on-white or some other two-tone color pairs; I already have psychedelic ripple-contrast codes dancing through my head; if the camera can read it, attackers will use it. I must have seen too many of the damnable things already.

@ExMSW4319Agreed - at a basic level we need to know if a message contains a QR code or not. Detecting URLs, safelinks translation, etc would be nice to have. Detecting if a QR code exists or not is essential.

 

Fancy look codes gets much more crazy than just psychedelic colors - look up what people are doing with stable diffusion and QR codes. The good thing is, the whole point of QR codes is to be easily detectable. So, standard detection algorithms should do a pretty good job and keep compute resource requirements relatively low.

Microsoft did discuss this during their MDO roadmap call, and have implemented new controls to better detect and remediate QR code phishing. It's not perfect, but I was glad to hear they are taking the threat seriously and treating as a major incident that needed attention.

@KD8AVA404  Can I ask for a link of their MDO? Thanks

@eliekarkafy 

 

We have implemented all the required policies but still such email are being delivered to users. 

 

What all other things should be implemented in MDO and MDE I saw your post saying we can implement the below controls from MDO and MDE. 

 

Link Here:  https://techcommunity.microsoft.com/t5/microsoft-defender-xdr/recieving-increasing-number-of-phishin... 

 

VinodS2020_0-1701945777314.png

 

 

 

@VinodS2020 Hi now the QR detection is enabled by default in MDO now and any QR code phishing emails should be detected automatically by MDO now 

@eliekarkafy 

 

Can we see that settings or configurations in MDO? Also do we need to implement or deply below policies or not required? 

 

  • Token Protection through Conditional Access 
  •  Network Protection in block mode in MDE for both endpoint and mobile devices (iOS/ Android).
  •  threat analytics in M365D
  • Web content filtering in MDE to block parked/ newly registered domains categories. 

 

no nothing is required , its enabled by default in MDO