Even though we are MS 365 defender customers for all our users (EMS + E3) we are receiving an increasing number of phishing attempts based on good looking MFA connection requests.Furthermore these are based on QR Codes, which can be used on a smartphone where the security rules will be helpless against such attacks.And these attempts are absolutely not filtered.

Babsvald currently the effective ways to protect against QR codes phishing emails is : Token Protection through Conditional Access Network Protection in block mode in MDE for both endpoint and mobile devices (iOS/ Android). threat analytics in M365D Web content filtering in MDE to block parked/ newly registered domains categories.

I think I am going to look at building a homegrown solution for scanning images for QR codes and building some rules around alerting on it (uncommon senders and from public email domains). Shouldnt be too difficult to do. Nice little side project.

While all the above is a good practice. Not allowing malicious QR codes through to begin with should be the focus. Much easier keeping the doors locked if we aren't handing out the keys.

MGessner Whilst I do not have an answer to pro-actively get these blocked, I have analyzed the IoAs and come up with a current method to try and detect these and get them actioned once they come through. See below for my KQL query: let Exclude = dynamic(['email address removed for privacy reasons','email address removed for privacy reasons','email address removed for privacy reasons']);let images = dynamic(['png','jpeg','bmp','jpg']);EmailAttachmentInfo| where ingestion_time() > ago(7d)| where SenderFromAddress !in (Exclude)| where FileName contains_cs "QR" and FileType in (images)| join kind=inner ( EmailEvents | where AttachmentCount >= 3 and EmailDirection == "Inbound") on $left.NetworkMessageId == $right.NetworkMessageId| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, ReportId The logic of this is based on my observation that the emails I've seen reported contain 3 attachments that are images, and the QR code image contains the text string "QR" and they are always an image format. They also contain at least 3 attachments as each image is there to replace text (presumably to evade analysis in a sandbox) So far it's giving me a good success rate but it's not a silver bullet, so some forward tuning would be required to suit each environment. Set this up as a custom alert to run on a schedule and configure the 'ingestion_time() > ago(7d)' to suit the frequency and avoid duplication of detections. Hope it helps!

And the concern being : Is there any way to escalate these alerts ?

Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes

15 Replies

AbyssX
Copper Contributor
Dec 26, 2023
Enhancing Email Security: Proactive Measures

To mitigate unwanted emails, consider the following strategies:

Domain Blocking:
Implement domain blocking to restrict emails from specific domains, bolstering your defense against unwanted communication.

Anti-Spam Policies:
Develop and enforce robust anti-spam policies to systematically block undesired emails, fortifying your organization's email security.

Email Labeling:
Label non-organizational emails to streamline identification. This aids users in promptly recognizing and managing emails that fall outside the organizational scope.
jjvoliver
Copper Contributor
Dec 24, 2023
So many people complaining. Don't you read the terms and conditions when you sign up?
Microsoft happens to have absolutely no obligation to help anyone on something not yet implemented, and there's nothing anyone outside of Microsoft can do about it, other than maybe migrating to something less intrusive and more user friendly.
Keep waiting for MS's help, good luck!
Thortonne
Copper Contributor
Oct 02, 2023
MGessner

Whilst I do not have an answer to pro-actively get these blocked, I have analyzed the IoAs and come up with a current method to try and detect these and get them actioned once they come through.

See below for my KQL query:

let Exclude = dynamic(['email address removed for privacy reasons','email address removed for privacy reasons','email address removed for privacy reasons']);
let images = dynamic(['png','jpeg','bmp','jpg']);
EmailAttachmentInfo
| where ingestion_time() > ago(7d)
| where SenderFromAddress !in (Exclude)
| where FileName contains_cs "QR" and FileType in (images)
| join kind=inner ( EmailEvents | where AttachmentCount >= 3 and EmailDirection == "Inbound") on $left.NetworkMessageId == $right.NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, FileName, ReportId

The logic of this is based on my observation that the emails I've seen reported contain 3 attachments that are images, and the QR code image contains the text string "QR" and they are always an image format. They also contain at least 3 attachments as each image is there to replace text (presumably to evade analysis in a sandbox)

So far it's giving me a good success rate but it's not a silver bullet, so some forward tuning would be required to suit each environment.

Set this up as a custom alert to run on a schedule and configure the 'ingestion_time() > ago(7d)' to suit the frequency and avoid duplication of detections.

Hope it helps!
ExMSW4319
Steel Contributor
Oct 01, 2023
I don't get any forward MX resolution for mtb.biglobe.ne.jp, biglobe.ne.jp or ne.jp. Perhaps you want to quarantine anything from ne.jp that does not offer satisfactory DMARC? As always, test before implementing, and although JP is a problem there are many other sources to worry about; Uncle Joe [B] is our big problem at the moment.
- Cubxinc
  Copper Contributor
  Oct 02, 2023
  It's getting way worse out there and Microsoft isn't doing anything about it. They are now using the QR codes to link users to enterprise app so the users simply signs in with their regular authentication and then they ask the user to grant delegated permission to their email and if your tenant is left at the default setting it will grant access to these hackers
  
  We really hope they do something about this soon
Headlineheather
Copper Contributor
Oct 01, 2023
HELP!!! Who has a contact at Microsoft who can get us some business support? It's LEVEL FIVE ON FIRE bad. Locked out of the admin portal and it's been 3 days with no help from Microsoft. We cannot access emails, one drive... Nothing. I've tried everything. No department at Microsoft is willing to escalate a support ticket properly to the right department (which is usually created in the admin portal that we currently cannot access)
elieelkarkafi
MVP
Sep 22, 2023
MGessner did you check your service health notifications sent by Microsoft? because Microsoft this week send a message status in service health in O365 portal that Some users are receiving large amounts of spam messages from specific senders in Exchange Online
- RobYoung
  Iron Contributor
  Sep 26, 2023
  elieelkarkafi ideally we should be able to alert on QR codes sent by unfamiliar (first contact) senders. While Microsoft boasts of safelinks, too many of these are making it through.
  - Babsvald
    Copper Contributor
    Sep 29, 2023
    RobYoung Just checking, did anyone get an effective way to block these out?
MGessner
Copper Contributor
Sep 22, 2023
And the concern being : Is there any way to escalate these alerts ?

Forum Discussion

Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes

15 Replies

Resources