Increase in QR Code Phishing (Quishing)- 20230922003

Overview

The WA SOC has observed an increase in QR code related phishing across multiple organisations. Building up on a previous advisory dating back to the 10th of July 2023, found here we are providing further guidance and notification to inform organisations about the increased use of Quishing activity by Threat actors.

Delivery

The primary method of delivery of the QR codes via phishing emails sent directly to user's inbox by compromised email addresses of legitimate organisations.

What is the threat?

The QR code for Quishing will most likely be scanned with a user's mobile phone, and subsquently any click events or URL re-directs would therefore not be detected by SIEM/Email Security Gateway (ESGs).

Recommendation:

• Increase end-user awareness on phishing attacks via QR code vectors.
• Agencies' Security Operations team(s) can perform proactive KQL threat hunting on potential QR Code phishing email(s) sent to agencies' user(s).
• Upon any successfully delivered phishing email to user’s inbox, confirm with affected user(s) whether they have scanned the QR code and have exfiltrated any credentials.

Detection

Data sources, detection queries and triage information for the Quishing attacks are provided on the WASOC TTP Detection Guideline page as shown below.

T1566.001 - QR Code Phishing Attachment (Quishing)

DESCRIPTION

Detects for email that’s delivered to inbox, potentially containing any QR code phishing images and/or attachment(s).

Author: DGov WA - Threat Hunt

Related

phishing - Quishing

Reference:

• Five common QR code scams – Microsoft 365

• Think Before You Scan: The Rise of QR Codes in Phishing

ATT&CK TACTICS

T1566.001 - Phishing: Spearphishing Attachment

Data Source(s): Application Log, Email

SENTINEL RULE QUERY

let selection_filetype=dynamic(["png","gif","jpeg","jpg"]);
let selection_subject=dynamic(["2FA","Action","payroll","MFA"]); //add other potential subjects
let filter_domain=dynamic(["microsoft.com","sharepointonline.com"]); //add agency specific filter
let lookback = 3d;
EmailEvents
| where TimeGenerated > ago(lookback)
| summarize arg_min(TimeGenerated,*) by NetworkMessageId, RecipientEmailAddress, TenantId
| where EmailDirection == 'Inbound'
| where DeliveryAction == 'Delivered'
| where SenderMailFromDomain !contains "wa.gov.au"
| extend username_ = tostring(split(RecipientEmailAddress, "@")[0])
| extend domain_ = tostring(split(RecipientEmailAddress, "@")[1])
| extend domain_name_ = tostring(split(domain_, ".")[0])
| where Subject contains username_ or Subject contains domain_ or Subject contains domain_name_ or Subject has_any (selection_subject)
| where not(SenderMailFromDomain has_any (filter_domain))
| join 
(
EmailAttachmentInfo
| where TimeGenerated > ago(lookback)
| where FileType has_any (selection_filetype)
| where FileName matches regex "^[A-Za-z0-9]{7,10}\\.[A-Za-z0-9]+$" //tweak here to change potential qr code filename convention changes
| where FileName !startswith "image" and FileName !startswith "ATT00" //ignore lists for known attachment false positive
) on NetworkMessageId

Triage

1. Verify the email sender and subjects fields, whether it’s known and/or expected

2. Confirm the QR code is on the email as an attachment and/or email body, and confirm redirection to potential phishing website

FalsePositive

1. Legitimate internal application sending out attachments

VERSION

Version 1.0 (date: 22/09/2023)