QR codes are gaining popularity as an easy way to access information for services and products. While QR codes are often used as convenient shortcuts, they can also be used by cybercriminals to trick users into accidentally scanning QR codes and expose themselves to risks. Understanding the dangers of QR codes, such as being redirected to fake websites or downloading malware, is crucial. Education enables users to check if QR codes are genuine, examine destination URLs, and use reliable apps for scanning. In the ongoing fight against phishing, informed end users become an important line of defense, preventing possible threats and strengthening their organization’s resilience.
Recently, we have observed a new trend in phishing campaigns that leverage QR codes embedded in emails to evade detection and trick users into visiting malicious links. To help our customers defend against this emerging threat, Microsoft Defender for Office 365 has introduced several enhancements to its prevention capabilities that can detect and block QR code-based attacks. Check out this blog to learn more about QR codes and how Defender for Office 365 is protecting end users against such attacks: Protect your organizations against QR code phishing with Defender for Office 365
We also introduced several enhancements to its investigation, hunting and response capabilities to help security teams to hunt and respond to such threats. Read more about these enhancements here: Hunting and responding to QR code-based phishing attacks with Defender for Office 365
In addition to prevention, detection, and investigation capabilities, we are excited to share that Microsoft Defender for Office 365 has also made several updates to its simulation and training features.
As part of the simulation enhancements, you will now be able to perform the following tasks:
- Running a simulation with QR codes and tracking user response
- Utilizing out of the box Global payloads and creating a custom payload with QR codes
- Utilizing training content through video modules and how to guides
Running a simulation
There is no change in running a simulation. The current flow which involves selection of users, selection of payload, scheduling training, and notifications is also applicable for QR code-based simulations. Within simulations, you can select payloads with QR codes and use them for simulation.
Currently configuring payloads with QR codes and use of these payloads in a simulation is applicable to the Email platform and for the attack techniques below. Support for Teams platform and Link in Attachment, and attachment malware techniques will follow later.
- Credential harvest
- Link to malware
- Drive by URL
- OAuth consent grant
Given that QR codes are another vector for the phishing URL, the user events around read/delete/compromises/clicks remain the same—if a user is navigating to the URL after scanning the QR code, then it is tracked as a click event. The existing mechanisms for tracking compromise, deletes, and report events remain the same.
Global and Tenant Payloads
Global payloads
Our payload library now includes 75 payloads in five languages, addressing various real-world scenarios involving QR code attacks. These payloads can be found in the Content Library- Global Payloads, each beginning with QR code payloads (for example, QR code payloads: Prize Winner Notification). You can locate these by typing "QR" in the search bar.
Before implementing these payloads in your simulations, we advise examining their different fields and contents thoroughly.
Image: Attack simulation trainings library
Tenant payloads
You can create a custom payload by duplicating the existing global payloads or creating a payload from scratch. Within the payload editing experience, you can insert QR codes using Dynamic Tags (Insert QR code) or formatting controls (QR code icon). You have the options to select the size and position of the QR code.
Image 1: Insert QR code dropdown
Image 2: Insert QR code
Image 3: Insert QR code menu
Image 4: Payload configuration and preview
The QR code that is generated will map to the phishing URL that is selected by you while configuring the payload in the payload wizard. When this payload is used in simulation, the service will replace the QR code with a dynamically generated QR code, to track click and compromise metrics. The size, position, and shape of the QR code would match the configuration of the QR set by you in the payload.
Training content
We have provided two mechanisms for learning about QR based attacks: How-to guides, and new training modules from our content partner.
How-to guides
How-to guides are designed to provide lightweight guidance to end users on how to report a phishing message directly through email. By delivering these guides directly to the end user's inbox, we can ensure that the end user has the information they need to confidently report any suspicious emails.
You can filter for the How-to Guide through either:
- Filtering by Technique = How-to Guide
- Search by name = " Teaching Guide: How to recognize and report QR phishing messages
Image 5: Teaching guides
Out-of-the-box trainings
Within the trainings list (Content Library- Training Modules), we have added a new training called Malicious Digital QR Codes, which is a short learning to educate on what to do when a user receives a QR code in the email. You can assign the training as part of a simulation or use training campaigns to assign the training to your users.
Image 6: Out of the box training configuration
Image 7: Out of the box training preview
More information
- More details around trainings are covered in this blog: Train your users to be more resilient against QR code phishing.
- Review the documentation to learn more about the feature.
- Note: As part of these changes, we will also be deprecating the alternative service, along with the GitHub repo.
- Get started with attack simulation today.
- Learn more about our latest features in Attack Simulation Training.
If you have other questions or feedback about Microsoft Defender for Office 365, engage with the community and Microsoft experts in the Defender for Office 365 forum.
Microsoft
