On August 16, 2023, cybersecurity firm Cofense revealed it had identified a phishing campaign that uses QR codes, the first on such a scale according to researchers. Launched in May 2023, the campaign grew to over a thousand personalized fake emails, 29% of which were sent to employees of a major US company. Other targets include manufacturers, insurance and tech companies, and financial departments.
The fraudulent emails prompted employees to carry out security checks linked to their Microsoft 365 accounts. Upon scanning the QR code, they were redirected to a fake login page, which allowed cybercriminals to steal their IDs and passwords. Most of the links used redirect URLs belonging to Bing in order to lull victims.
Cofense noted that, until now, phishing attacks had made little use of QR codes, due to their limited interactions with users. Only the mobile device used to scan the code can be reached, and confirmation is systematically required to redirect the user towards the QR code’s target website.
According to Cofense, there are two advantages to the QR code for cybercriminals. First off, it allows them to bypass spam filters and reach the main inbox. Secondly, a QR code lures users outside the corporate network and its phishing defenses. In some cases, this facilitates infection.