Full Report
Phishing with QR codes: New tactics described here include concealing links with redirects and using Cloudflare Turnstile to evade security crawlers. The post Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon appeared first on Unit 42.
Analysis Summary
# Tool/Technique: QR Code Phishing (Quishing)
## Overview
This entry summarizes the tactics used in sophisticated Business Email Compromise (BEC) phishing campaigns that leverage QR codes embedded within malicious documents to redirect victims to credential harvesting sites. This technique, often called "quishing," circumvents traditional desktop security mechanisms by shifting the final interaction to a mobile device.
## Technical Details
- Type: Technique (Social Engineering/Phishing)
- Platform: Documents targeting recipients whose actions are executed primarily on mobile devices (smartphones used for scanning).
- Capabilities: Concealing malicious payloads/URLs within an image (QR code), evading URL scanning, leveraging mobile redirection.
- First Seen: The article notes this trend has been observed since late 2024.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (The mechanism delivering the document containing the QR code)
- T1566.002 - Spearphishing Link (The final result after scanning the code)
- TA0006 - Credential Access
- T1555 - Credentials from Password Stores (The ultimate goal of credential harvesting)
## Functionality
### Core Capabilities
- **Hiding Payloads:** Embedding the final phishing URL within a QR code in a document (e.g., PDF or Office file).
- **Bypassing Static Analysis:** Traditional email link/URL scanning fails because the malicious link is obfuscated within the image.
- **Seamless Redirection:** Using legitimate website redirection mechanisms to make the final malicious destination look less suspicious.
- **Cloud Verification Evasion:** Utilizing Cloudflare Turnstile for user verification checks, specifically designed to block automated crawlers/bots while allowing human interaction.
### Advanced Features
- **Targeted Attacks:** Suggests pre-attack reconnaissance as some phishing sites specifically target credentials of particular victims.
- **Mobile Execution:** Relies on the user scanning the code with a smartphone, causing the mobile browser (which may have less stringent security/alerting than desktop browsers) to access the malicious site.
## Indicators of Compromise
- File Hashes: N/A (Focus is on technique, not a specific malware payload)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Attackers utilize legitimate redirection services, and potentially Cloudflare Turnstile for verification prior to reaching the final credential harvesting host.
- Behavioral Indicators: Documents containing embedded QR codes instructing immediate scanning action.
## Associated Threat Actors
- Not explicitly named, but associated with sophisticated Business Email Compromise (BEC) operations.
## Detection Methods
- Signature-based detection: Limited effectiveness against URL/domain changes inherent in redirection chains.
- Behavioral detection: Monitoring for documents containing embedded QR codes that link to external resources, especially when paired with suspicious redirection chains or Cloudflare Turnstile challenges.
- YARA rules: Could potentially be developed to detect specific patterns of document structures used to hide QR codes or scripts associated with redirect chaining.
## Mitigation Strategies
- **User Training:** Comprehensive training specific to "quishing," warning users about scanning unknown QR codes found in emails or documents.
- **Email Security Gateway Settings:** Configure gateways to deeply inspect attachments for embedded content that attempts to mislead users (e.g., excessive redirection chains, use of bot-evasion checks like Turnstile).
- **Advanced URL Filtering:** Utilizing security services that can analyze the final destination URL *after* all redirects have been resolved, even those initiated on a mobile client ecosystem.
- **Endpoint Protection:** Ensure devices (especially mobile) have advanced threat protection capable of recognizing credential harvesting sites.
## Related Tools/Techniques
- Standard Phishing (T1566)
- MFA Fatigue/Prompt Bombing (As BEC often leads to credential theft followed by session hijacking)