Full Report
QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption.
Analysis Summary
# Tool/Technique: QR Code Phishing/Spam Lures
## Overview
This summary details the utilization of Quick Response (QR) codes within email and attached documents (like PDFs) as a technique to bypass existing security controls, particularly anti-spam filters, to deliver malicious content, most frequently phishing links for credential harvesting (e.g., MFA requests).
## Technical Details
- Type: Technique / Delivery Mechanism
- Platform: Email systems, targeted user devices (desktop/mobile for scanning)
- Capabilities: Bypasses image-based content inspection in anti-spam filters; masks malicious URLs; leverages user inattention compared to clicking links.
- First Seen: Not specified explicitly, but the context implies a current and evolving threat in 2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If embedded in an attachment)
- T1566.002 - Spearphishing Link (If the decoded QR code points to a malicious URL)
- **TA0010 - Exfiltration** (Indirectly, if MFA is bypassed)
## Functionality
### Core Capabilities
- **Evasion:** QR codes, displayed as images, bypass traditional text-based or simple link scanners used by anti-spam filters. Cisco Talos data suggests roughly 60% of email containing a QR code is spam.
- **Data Encoding:** QR codes (two-dimensional matrix barcodes) can store significantly more data than legacy 1D barcodes (up to ~4,300 alphanumeric characters), commonly used to encode URLs for phishing.
- **Defanging Bypass:** Users often fail to "defang" malicious QR codes (equivalent to defanging a URL by altering `http` to `hxxp`), meaning standard user caution applied to links is often absent for scans.
### Advanced Features
- **QR Code Art:** Attackers create QR codes by seamlessly blending data modules into artistic images, making them difficult for both humans and filters to recognize as a scannable code.
- **Unicode Construction:** Attackers craft visual representations of QR codes using Unicode characters embedded within documents (e.g., PDFs created via `wkhtmltopdf`), further complicating graphic recognition engines.
- **Network Evasion:** If scanning occurs on a device not on corporate Wi-Fi followed by subsequent traffic over a cellular network, corporate security devices may have reduced visibility into the resulting communication session.
## Indicators of Compromise
- File Hashes: N/A (Focus is on mechanism, not specific binaries)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The *payload* of the decoded QR code links to malicious URLs (e.g., MFA phishing sites), which should be treated as suspicious and defanged (e.g., `hxxp://malicious[.]site`).
- Behavioral Indicators: Presence of QR image data in emails/attachments requiring decoding; successful decoding pointing to known malicious domains; MFA prompt following a scan.
## Associated Threat Actors
- General Spammers and Phishing Groups leveraging novel evasion techniques. (No specific APT group linked in the provided context).
## Detection Methods
- Signature-based detection: Requires updating anti-spam filters to recognize and process image content for QR code presence.
- Behavioral detection: Monitoring endpoints for launching external applications or web views immediately after an image file (especially PDF) is opened or a camera application is invoked suspiciously.
- YARA rules: Potential for YARA rules targeting patterns associated with programmatically generated QR code art or specific Unicode structuring used to compose the codes in documents.
## Mitigation Strategies
- **Filter Upgrade:** Implement security solutions capable of detecting the presence of a QR code within an attachment or email body, decoding it, and analyzing the resultant payload.
- **User Training:** Educate users that scanning a suspicious QR code is equivalent to clicking an unknown hyperlink; avoid scanning unknown sources.
- **Defanging on Submission:** For known techniques, researchers (like Talos) obscure the code data modules or remove position detection patterns to safely analyze codes received internally.
- **Protocol Navigation:** Users should always navigate directly to known login portals rather than clicking/scanning provided links/codes.
## Related Tools/Techniques
- **QR Code Defanging Methods:** Obscuring data modules or removing position detection patterns.
- **Unicode-based Visual Exploits:** Using character sets to simulate graphical elements.
- **Associated Tools Mentioned:** `wkhtmltopdf` (used allegedly to convert HTML containing Unicode structure into PDFs).
- **Defense Tools Mentioned:** Cisco Secure Email Threat Defense, Cisco Secure Malware Analytics (Threat Grid) for safe URL analysis.