Mass phishing campaign utilizing QR codes to Steal Employees Microsoft credentials

A recent discovery highlights a significant QR code phishing campaign that targets Microsoft credentials across various industries. 

Notably, a major energy company based in the US is at the forefront of this attack, underscoring the importance of robust security practices to combat evolving threats. 


This article provides an in-depth analysis of the campaign, its targets, tactics, and potential countermeasures.

The Rise of QR Code Phishing

Since May 2023, Cofense, a phishing detection company, has been tracking a sophisticated phishing campaign leveraging QR codes to dupe users into compromising their Microsoft credentials. 

The campaign’s most prominent victim is a major US energy company, accounting for nearly 29% of the over 1000 malicious QR code emails observed. 

Other industries affected include manufacturing, insurance, technology, and financial services, with 15%, 9%, 7%, and 6% of campaign traffic, respectively. 

These QR codes contain phishing links or redirects disguised as Microsoft security notifications.

Unmasking the QR Code Campaign

The campaign methodology involves sending emails with PNG or PDF attachments that prompt users to scan QR codes. 

Security Authentication Scan
Major Energy Company Targeted in Large QR Code Campaign
Security Authentication (2FA)
Multi-Factor Screen Shot
          QR Code Image Samples

Unlike traditional phishing links, QR codes are more likely to reach inboxes, as the phishing link is concealed within the QR image. This image is then embedded within an attachment, often a PNG or PDF file. 

This covert delivery method aims to bypass security filters and exploit user curiosity.

Implications for Enterprises

The campaign’s focus on targeting a major energy company underscores the gravity of the threat. 

An alarming trend is the campaign’s remarkable growth rate, with an average month-to-month increase of over 270%. 

A significant portion of the campaign employs Bing redirect URLs, exploiting the legitimacy of this Microsoft-owned domain. 

                    Bing Redirect URL 

However, the use of domains, including krxd[.]com (associated with Salesforce) and cf-ipfs[.]com (Cloudflare’s Web3 services), indicates a sophisticated attempt to abuse trusted domains for malicious purposes. 

Despite the Energy company being the primary target, the energy sector as a whole witnessed a major focus within the phishing campaign, signifying a broader industry-centric approach.

Although modern mobile devices provide some level of QR code verification, user education remains crucial. 

Employees should be trained not to scan QR codes in emails and to exercise caution when interacting with unfamiliar content. 

Security teams should explore automation tools like QR scanners and image recognition to detect and block malicious QR codes. 

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.