Malicious PDF Microsoft 2FA Warning

Malware authors are exploiting the growing popularity of QR codes to target users through PDF files, where these malicious PDFs, often delivered via email disguised as faxes, contain QR codes that trick users into scanning them with their smartphones. 

QR codes can be linked to malware downloads or phishing sites cleverly disguised as legitimate sources, such as security updates or SharePoint document links, which bypass traditional email security checks and leverage the trust users place in QR codes for everyday tasks.  

Malicious PDF files with QR code (blurred)

Phishing scammers are impersonating the Microsoft login page by utilizing a QR code that redirects users through a benign-looking host ( to a phishing URL. 

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

The deceptive URL, obfuscated with Base64 encoding, ultimately leads to a login page designed to steal Microsoft account credentials such as the user ID and password. 

The phishing page itself is designed to look like the authentic login interface used by Microsoft, which further increases the likelihood of the scam’s success.  

 Fiddler screenshot of phishing URL

Phishing attacks are evolving to use QR codes to trick users into entering their credentials on malicious websites, which can be designed to look like legitimate login pages and may even prefill the username field to increase believability. 

Once a user enters their credentials, the attacker can steal them and use them to gain unauthorized access to the user’s email, personal information, and potentially sensitive corporate data. 

Microsoft Phishing Page with prefilled username

Malicious QR codes can exploit vulnerabilities in mobile device QR scanners to circumvent user consent and carry out harmful actions. 

It includes silently downloading and installing malware, subscribing users to premium SMS services, which results in unexpected charges, or initiating calls to premium rate numbers, which incurs high costs. 

Even more serious, QR code exploits can steal login credentials, launch denial-of-service attacks, compromise user networks, and damage the reputation of targeted individuals or organizations. 

According to SonicWall Indicators of Compromise (IOCs) and URLs suspected to be malicious, likely file hashes are represented in hexadecimal format, which could be compared to a database of known malicious files to identify potential threats. 

The URLs are obfuscated with techniques like character substitution (e.g., ‘r’ for ‘e’).

Decoded, these URLs could lead to phishing sites or malware downloads, while analyzing these IOCs and URLs together can help security professionals detect and prevent cyberattacks. 

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files