Quishing Attacks Use QR Codes to Steal Microsoft Account Credentials

Cybersecurity researchers at Unit 42 have uncovered a troubling evolution in phishing tactics, dubbed “quishing,” which leverages QR codes to target Microsoft account credentials.

Since late 2024, attackers have increasingly embedded phishing URLs within QR codes in documents and emails, enticing victims to scan them with smartphones.

This method bypasses traditional security measures and exploits the weaker defenses of personal devices, making it harder for users to detect malicious activity.

Unlike conventional phishing, where malicious links are directly embedded in emails or documents, quishing relies on QR codes that redirect unsuspecting users to phishing sites.

These attacks often masquerade as legitimate services such as DocuSign or Adobe Acrobat Sign, using fake electronic signature requests to lure victims into scanning the QR codes.

Once scanned, the QR codes redirect users to deceptive login pages designed to harvest sensitive credentials.

Redirection and Human Verification Tactics

The attackers employ sophisticated redirection mechanisms to conceal their phishing infrastructure.

Instead of linking directly to malicious domains, they exploit legitimate websites’ URL redirection features.

For example, attackers use open redirects on trusted platforms like Google to mask the final phishing destination, making the URLs appear legitimate when viewed through smartphone cameras.

This tactic significantly complicates detection efforts by security crawlers and users alike.

To further evade automated security systems, attackers integrate human verification steps during the redirection process.

Cloudflare Turnstile is frequently used in these campaigns as a verification tool, allowing attackers to bypass bot detection systems without requiring direct human interaction.

This layered approach effectively shields the phishing site from scrutiny while increasing the likelihood of successful credential harvesting.

Credential Harvesting and Targeted Attacks

Once redirected, victims encounter fake login pages mimicking services like Microsoft 365 or SharePoint.

These pages often display pre-populated user information, such as email addresses, creating an illusion of legitimacy and familiarity.

Victims are then prompted to enter their passwords, unknowingly handing over their credentials to attackers.

Alarmingly, some phishing campaigns reject arbitrary credentials and display error messages if incorrect details are entered indicating a high level of targeting and customization aimed at specific individuals or organizations.

The phishing documents are strategically themed around enticing topics like payroll updates or HR announcements to lower users’ guard.

Attackers also incorporate company logos and official-sounding email addresses into their schemes to enhance credibility.

These tactics highlight the growing sophistication of quishing campaigns and their ability to deceive even vigilant users.

Unit 42 has identified several IoCs associated with these quishing attacks:

• Malicious PDFs: Files containing embedded QR codes linked to phishing URLs (e.g., hashes such as b6130b45131035bec8d9b0304e934f2db0ee092c).
• Phishing URLs: Redirect links exploiting legitimate domains (e.g., hxxps://docuusign[.]statementquo[.]com/ey8YO?e={user_email}).
• Spoofed Login Pages: Fake Microsoft login screens with pre-populated user information designed for credential harvesting.

Security teams are advised to monitor for these indicators and implement robust defenses against QR code-based phishing threats.

Quishing represents a significant evolution in phishing tactics, leveraging QR codes to bypass traditional security measures and exploit personal devices’ vulnerabilities.

Attackers’ use of URL redirection, human verification mechanisms, and targeted credential harvesting underscores the need for enhanced security awareness and technical solutions capable of detecting these threats.

Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates