Protect your organizations against QR code phishing with Defender for Office 365
Published Dec 12 2023 12:12 PM 54.3K Views

QR code phishing campaigns have most recently become the fastest growing type of email-based attack. These types of attacks are growing and embed QR code images linked to malicious content directly into the email body, to evade detection. They often entice unwitting users with seemingly genuine prompts, like a password reset or a two-factor authentication request. Microsoft Defender for Office 365 is continuously adapting as threat actors evolve their methodologies. In this blog post we’ll share more details on how we’re helping defenders address this threat and keeping end-users safe.

What is a QR Code?

A QR code (short for "Quick Response code") is a two-dimensional barcode that can be scanned using a smartphone or other mobile device equipped with a camera. QR codes can contain various types of information, such as website URLs, contact information, product details, and more. They are most commonly used for taking users to websites, files, or applications. The easiest way to think about a QR code is to treat it just as you would a URL.



For example, when this QR code is scanned it will redirect you to the Defender for Office 365 product page.


QR Code Phishing on the Rise

Over the last few years QR Codes have seen a rise in popularity in legitimate use scenarios, in part due to COVID. You have probably seen them in restaurants, parking lots, and marketing. In 2022, The Federal Bureau of Investigation raised awareness about cybercriminals tampering with QR codes to steal financial funds from victims. And while until very recently QR Code phishing attacks were relatively rare, around mid-September 2023, Microsoft Security Research & Threat Intelligence observed a significant increase in phishing attempts related to QR-codes. Our telemetry showed a 23% increase in attacks using this exploit within one week alone.

So why use QR codes for phishing?
QR Codes present a unique challenge for security providers as they appear as an image during mail flow and are unreadable until rendered. Once the QR Code is rendered (what the human eye sees) it can then be scanned/processed for further analysis.

QR codes are used in phishing attacks for mainly two reasons:

  1. They move the attack away from well-protected corporate environments and onto the victim’s personally owned mobile device, which may be less secure.
  2. They leverage the most common credential theft vector which is the uniform resource locator (URL).


A QR code can be easily manipulated to redirect unsuspecting victims to malicious websites or to download malware in exactly the same way as URLs, only by putting the URL in a more difficult-to-detect location. Adversaries craft QR codes to look legitimate, for example a message coming from an IT Administrator, and when scanned will ask the user to verify their account via their credentials or download a malicious file onto the user's device. This is becoming more common as the constrained screen size of mobile devices can make warning signs of phishing attacks difficult for users to recognize.

The multiple layers of tactics, techniques and procedures (TTPs) reveal various patterns of QR Code Phishing messages seen by Defender for Office 365. This includes but is not limited to:

  • URL redirection
  • Minimal to no text (reducing signals for ML detection)
  • Abuse of known brands
  • Abuse of sending infrastructure known for sending legitimate emails
  • A variety of social lures including 2 factor auth, document signing, and more
  • Embedding QR codes in attachments


A few examples below:


QR Codes are embedded as inline images within email body
In the example below, the QR code is embedded inline within the body of the email, which when scanned redirects the user to a phishing website attempting to gather their credentials.


Figure 1: QR code as an image within email body redirecting to a malicious website.Figure 1: QR code as an image within email body redirecting to a malicious website.

QR Code within an image in the email body
In the example below, the QR code is placed inside an image embedded inline within the body of the email.  


Figure 2: QR code inside of an image within email body attempting to redirect to a malicious website.Figure 2: QR code inside of an image within email body attempting to redirect to a malicious website.

QR Code as an image in an attachment
In the example below, the QR code is embedded inside an attachment that is a PDF, which when scanned redirects the user to a phishing website attempting to gather their credentials.


Figure 3: QR code as an image within an attachment sent via email attempting to redirect to a phishing website.Figure 3: QR code as an image within an attachment sent via email attempting to redirect to a phishing website.

*The QR codes displayed in the examples above originally redirected to malicious websites. Note: they have been replaced to redirect to a legitimate website to prevent users who scan them from being a victim of phishing.


How Defender for Office 365 detects QR Code phishing

Given these attack techniques, it is clear that QR code phishing is functionally identical to credential harvesting. Let’s take a closer look at how Defender for Office 365 protects against them. The below detection capabilities are available in Exchange Online Protection & Microsoft Defender for Office 365 licenses. Based on the specific license, the checks will vary as mentioned below.


Image Detection

With advanced image extraction technologies, Defender for Office 365 and Exchange Online Protection detects a QR Code in a message inline during mail flow. The system extracts URL metadata from a QR Code and feeds that signal into our existing threat protection and filtering capabilities for URLs. By using these signals, the underlying URL can also be sent to a sandbox environment for detonation and the malicious threats are proactively identified and blocked before they reach a user’s mailbox.


Threat Signals

Defender for Office 365 and Exchange Online Protection uses a variety of mail flow signals to determine and act on a message. Essentially, no single input determines the final classification of an email. It is always a composite of several signals to construct a robust context. The QR Code signal is used in combination with sender intelligence, message headers, recipient details, content filtering, and the relationships shared between them are fed into machine learning algorithms to produce the highest quality verdict as the context permits.


URL Analysis

The URLs extracted from QR Codes are analyzed by machine learning models, checked against both internal and external sources of reputation and for Microsoft Defender for Office 365 Plan 1 / Plan 2 licenses are sandboxed for further investigation as needed to assess the risk for detonation.


Heuristics-based Rules

Microsoft also deploys heuristic rules within Defender for Office 365 and Exchange Online Protection to reason over and block malicious messages. This capability constitutes one of our most flexible and fastest moving mitigations, and it is used extensively to mitigate attack patterns as they morph day to day during major campaigns such as the QR Code phishing.


Microsoft Defender for Office 365 blocks QR Code Phishing at Scale

Here are a few datapoints that help put this strategy into perspective:

  • With the power of existing capabilities and robust tools we have built, many heuristics-based rules were released within minutes leading to ~1.5 million QR code phishing blocked in email body per day in the last several months! As the attack patterns evolve, new rules continue to get released and refined as needed.
  • The advanced detection technologies built to extract QR code related metadata (URL and text), have scanned more than 200 million unique URLs on average weekly, out of which more than 100 million came from QR codes.
  • Our advanced detection technologies have blocked more than 18 million unique phishing emails containing a QR code image in the email body on average weekly and around 3 million unique QR code phishing emails per day.
  • QR code phishing protection includes Commercial as well as Consumer emails. More than 96% of these are QR code phishing blocked by our technologies in Enterprise alone.

Figure 4: QR code phishing blocked by Microsoft Defender for Office 365Figure 4: QR code phishing blocked by Microsoft Defender for Office 365

We continually track threat actor activity and evolve our detections to combat new and evolving techniques and patterns.


What can you do to stay protected?

Extended Detection and Response (XDR): Microsoft Defender XDR provides comprehensive defense against advanced threats like QR code phishing, offering end-to-end protection with unified detection, investigation, and response experience. With native integration across endpoints, hybrid identities, email, collaboration tools, and cloud applications, XDR enables centralized visibility, powerful analytics, and automatic attack disruption against even the most sophisticated malicious actors. QR code phishing often targets account identities through adversary-in-the-middle (AiTM) attacks, intercepting credentials and session cookies. Attacks like these can be effectively disrupted by Microsoft Defender XDR, thanks to its holistic approach to detection. By correlating signals across products into high-fidelity detections, Defender XDR disrupts attacks early, limiting their impact and progression, and safeguarding organizations before they can cause widespread damage.


Endpoint Protection: Users scan QR codes using their mobile devices, opening the embedded URL in the device web browser. Microsoft Defender for Endpoint on Android and iOS includes anti-phishing capabilities that also apply to QR code phishing attacks, blocking phishing sites from being accessed. Microsoft Defender for Endpoint also provides protection against malware that may be downloaded or installed through the URL link.


End-User Training: Defender for Office 365 customers can use Attack Simulation Training to educate their end users by simulating real-world phishing attacks and other types of cyber threats. This training can help users recognize the signs of a phishing attack, such as suspicious emails or links, and can teach them how to respond appropriately to these threats. Attack Simulation Training can also provide users with feedback and guidance on how to improve their security practices, such as by enabling multi-factor authentication. By using Attack Simulation Training, organizations can help their end users become more aware of potential threats and better equipped to protect themselves and their organization against cyberattacks. Use training modules to train your users to be more resilient against QR code based phishing attacksIn order to participate in a Private Preview for QR code-based simulations using Attack Simulation Training, please join our Customer Connection Program and sign up for the preview slated for CY24Q1.


Protection beyond QR code phishing with Defender for Office 365

The rise of QR code phishing is part of a larger technique shift carried out by threat actors to leverage images as part of social engineering tactics in order to bypass Enterprise Security defenses. Our recent QR code phishing detection capabilities are only a part of a larger robust solution to defend against varied forms of image-based attacks. This includes QR codes, bar codes, brand logos etc.

It's important to be cautious when scanning QR codes from unknown sources and to always verify the legitimacy of the email and its contents before taking any action.  To learn more, check out an episode on QR code protection from November 27th PST on our virtual ninja show.

On a periodic basis, be sure to review the configuration settings within your organization’s policies, manage and monitor the priority accounts within the organizations as such, review any mail flow rules you might have added to maintain a secure posture. Further, use step-by-step guides to help you quickly configure anti-malware policies, anti-phishing policies, safe attachments and much more. Remember that it is possible for attackers to weaponize content or URL even after the delivery of a message. Therefore, it is highly recommended to use the submissions workflow to submit the false positive or false negative samples to Microsoft for further analysis and help the system automatically learn the patterns from the submissions.


Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.

Version history
Last update:
‎Jan 19 2024 01:51 PM
Updated by: