Massive phishing campaign exploits QR codes to steal Microsoft credentials


Criminals are sending victims malicious QR codes to steal sensitive data.

A major unnamed energy company in the US has received over 1000 emails with malicious QR codes. It’s the largest victim of a massive phishing campaign targeting energy, manufacturing, insurance, technology, and financial services companies since May.

Analysts at the cybersecurity company Cofense reported a 2400% increase in malicious QR codes in emails since May 2023.

Threat actors focus on delivering emails that spoof Microsoft security notifications. Inside, a PNG or PDF file is attached, asking a user to scan a QR code.

While the campaign is relatively widespread, its primary focus has been a major energy company in the US that Cofense analysts left unnamed in their write-up of the campaign.

Malicious QR codes

As you might have guessed, if a user were to follow the email instructions and QR code, they would be redirected to a phishing page designed to steal their credentials.

The QR code would lead users to a Bing address. “While Bing is a legitimate domain owned by Microsoft, Bing redirect URLs that were originally meant for marketing purposes can also be used for malicious purposes,” analysts noted.

Bing redirect

The fact that threat actors abuse trusted domains and hide malicious links within QR codes helps them to bypass email security filters and reach victims’ inboxes.

Time and time again, security experts have warned about QR code scams. In March, HP Wolf Security found that criminals were increasingly abusing the codes to steal credit-card data.

Every time you scan a QR code, whether in a restaurant to tip the waiter or at a hotel to check in – you risk infecting the device or giving away sensitive data.

How to avoid QR scams?

  • Don’t scan QR codes received from strangers
  • Even if a message is from someone you know, first check if your contact has actually sent you the code before clicking on it
  • If a message comes from a government agency, call or email it directly to make sure it is legitimate
  • Some antivirus software comes with a QR-scanning functionality – it will prevent you from downloading malicious software
  • Do not enter any personal details or other sensitive information into websites you don’t know