Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes

Copper Contributor

Even though we are MS 365 defender customers for all our users (EMS + E3) we are receiving an increasing number of phishing attempts based on good looking MFA connection requests.

Furthermore these are based on QR Codes, which can be used on a smartphone where the security rules will be helpless against such attacks.

And these attempts are absolutely not filtered.

 

MGessner_0-1695385455987.png

 

 

MGessner_1-1695385563827.png

 

15 Replies
And the concern being : Is there any way to escalate these alerts ?

@MGessner did you check your service health notifications sent by Microsoft? because Microsoft this week send a message status in service health in O365 portal that Some users are receiving large amounts of spam messages from specific senders in Exchange Online

eliekarkafy_0-1695388274798.png

 

@eliekarkafy ideally we should be able to alert on QR codes sent by unfamiliar (first contact) senders.  While Microsoft boasts of safelinks, too many of these are making it through.

@Robert Young Just checking, did anyone get an effective way to block these out?

@Babsvald currently the effective ways to protect against QR codes phishing emails is :

 

  • Token Protection through Conditional Access 
  •  Network Protection in block mode in MDE for both endpoint and mobile devices (iOS/ Android).
  •  threat analytics in M365D
  • Web content filtering in MDE to block parked/ newly registered domains categories. 
I think I am going to look at building a homegrown solution for scanning images for QR codes and building some rules around alerting on it (uncommon senders and from public email domains). Shouldnt be too difficult to do. Nice little side project.
While all the above is a good practice. Not allowing malicious QR codes through to begin with should be the focus. Much easier keeping the doors locked if we aren't handing out the keys.
Hi Robert,
I agree, it would be helpful if suspected malicious QR codes could be checked in a sandbox environment by Defender before the user gets to open them, similar to suspicious emails with malicious links. This way users will need to report not receiving them to IT Security who will check and take the necessary actions depending upon whether they are safe or not.
HELP!!! Who has a contact at Microsoft who can get us some business support? It's LEVEL FIVE ON FIRE bad. Locked out of the admin portal and it's been 3 days with no help from Microsoft. We cannot access emails, one drive... Nothing. I've tried everything. No department at Microsoft is willing to escalate a support ticket properly to the right department (which is usually created in the admin portal that we currently cannot access)
I don't get any forward MX resolution for mtb.biglobe.ne.jp, biglobe.ne.jp or ne.jp. Perhaps you want to quarantine anything from ne.jp that does not offer satisfactory DMARC? As always, test before implementing, and although JP is a problem there are many other sources to worry about; Uncle Joe [B] is our big problem at the moment.
It's getting way worse out there and Microsoft isn't doing anything about it. They are now using the QR codes to link users to enterprise app so the users simply signs in with their regular authentication and then they ask the user to grant delegated permission to their email and if your tenant is left at the default setting it will grant access to these hackers

We really hope they do something about this soon

@MGessner 

Whilst I do not have an answer to pro-actively get these blocked, I have analyzed the IoAs and come up with a current method to try and detect these and get them actioned once they come through.

 

See below for my KQL query:

 

let Exclude = dynamic(['email address removed for privacy reasons','email address removed for privacy reasons','email address removed for privacy reasons']);
let images = dynamic(['png','jpeg','bmp','jpg']);
EmailAttachmentInfo
| where ingestion_time() > ago(7d)
| where SenderFromAddress !in (Exclude)
| where FileName contains_cs "QR" and FileType in (images)
| join kind=inner ( EmailEvents | where AttachmentCount >= 3 and EmailDirection == "Inbound") on $left.NetworkMessageId == $right.NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, ReportId
 
The logic of this is based on my observation that the emails I've seen reported contain 3 attachments that are images, and the QR code image contains the text string "QR" and they are always an image format. They also contain at least 3 attachments as each image is there to replace text (presumably to evade analysis in a sandbox)
 
So far it's giving me a good success rate but it's not a silver bullet, so some forward tuning would be required to suit each environment.
 
Set this up as a custom alert to run on a schedule and configure the 'ingestion_time() > ago(7d)' to suit the frequency and avoid duplication of detections.
 
Hope it helps!

@Robert Young 

 

If you do this please post to GitHub,  looks like there is some demand here. 🙂

 

I was considering doing the same but am both asking our MSFT rep...will this be a feature enhancement, or shall we go shopping for 3rd party product here that will.

So many people complaining. Don't you read the terms and conditions when you sign up?
Microsoft happens to have absolutely no obligation to help anyone on something not yet implemented, and there's nothing anyone outside of Microsoft can do about it, other than maybe migrating to something less intrusive and more user friendly.
Keep waiting for MS's help, good luck!

Enhancing Email Security: Proactive Measures

To mitigate unwanted emails, consider the following strategies:

Domain Blocking:
Implement domain blocking to restrict emails from specific domains, bolstering your defense against unwanted communication.

Anti-Spam Policies:
Develop and enforce robust anti-spam policies to systematically block undesired emails, fortifying your organization's email security.

Email Labeling:
Label non-organizational emails to streamline identification. This aids users in promptly recognizing and managing emails that fall outside the organizational scope.

AbyssX_0-1703624124099.png