QR Code phishing is advancing to a new level, so be on your guard

QR Code
(Image credit: Pixabay)

Be careful when receiving emails with QR codes, because Quishing (QR code phishing) has evolved to become as dangerous as never before, experts have warned.

A report from Perception Point has outlined one such campaign, claiming it is able to bypass most email security solutions around.

The attack is just like any other QR code phishing attack - the recipient gets an email, and in it a QR code. They scan it, and it leads them to a fake Microsoft 365 landing page, where they type in their login credentials and essentially share it with the crooks. However, since most email security solutions these days come with QR code scanners, simply sending the image in the email will not suffice. Such emails will simply get blocked, which is why crooks came up with a creative new way of bypassing the protections.

Two QR codes

As Perception Point explains, the campaign involves abusing two legitimate services - SharePoint, and me-qr.com. SharePoint is a Microsoft-built, web-based platform for collaboration, document management, and content sharing. Me-QR.com is a website where users can create and manage QR codes.

The landing page is hosted on SharePoint. Me-QR.com is used as an additional obfuscation layer, so that the scanners cannot read where the QR code points to.

Here is how the scam works: The recipient gets the usual phishing email, containing a .PDF attachment that’s either a purchase order, an invoice, or something similar. When they open it, there is a QR code that points to me-QR.com. Since this is a legitimate service, the code passes security scans.

When the victim scans this code, they are redirected to me-QR.com, where the service scans a second QR code (a malicious one, which would most likely be blocked by email security). This code leads to SharePoint, where the phishing page is hosted.

Perception Point calls this tactic “Quishing 2.0”, and describes it as highly sophisticated.

The best way to defend against spam remains the same - be suspicious of all incoming emails and use common sense when opening up attachments.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
QR Code
Hackers are targeting Signal with new QR code-linked cyberattack
mobile phone
Forget phishing, now "mishing" is the new security threat to worry about
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Close up of a business person using a smartphone.
Watch out, malicious PDF files are being used again in phishing attacks
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Scam alert
Fake jobs and phone calls: How Americans lost $12.5 bn to fraud in 2024
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Representational image of a cybercriminal
Allstate sued for exposing personal customer information in plaintext
Latest in News
A stressed employee looking over some graphs
UK workers are spending more than one day per week tracking down information
Vision Pro Metallica
Apple Vision Pro goes off to never never land with Metallica concert footage
Mufasa is joined by another lion, a monkey and a bird in this promotional image
Mufasa: The Lion King prowls onto Disney+ as it finally gets a streaming release date
An American flag flying outside the US Capitol building against a blue sky
Sean Plankey selected as CISA director by President Trump
An Nvidia GeForce RTX 4060 on a table with its retail packaging
Nvidia RTX 5060 GPU spotted in Acer gaming PC, suggesting rumors of imminent launch are correct – and that it’ll run with only 8GB of video RAM
Indiana Jones talking to a friend in a university setting with a jaunty smile on his face
New leak claims Indiana Jones and the Great Circle PS5 release will come in April