Microsoft Sentinel SOC 101: How to Detect and Mitigate Quishing Attacks with Microsoft Sentinel

Q-is

Oct 05, 2023

Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101

BIG NOTE: There is evidence that a more formal solution for identifying QR codes is on the way. This post is an ongoing discussion, and this post will be updated accordingly.

QR codes are a convenient way to access information quickly, but they can also be used maliciously. Microsoft Defender provides a comprehensive guide on how to use QR codes safely and ethically.

See: How to use QR codes safely and ethically

QR code technology itself is safe and secure, but criminals find ways to exploit how individuals and businesses use QR codes. When you scan a QR code with your phone, the QR reader within your phone identifies the code and directs you to the website URL, PDF file, video, etc. The QR code itself doesn’t collect any personal data or live-track you. The basic technology is very secure, but that doesn’t stop hackers from taking advantage of them in phishing schemes and more. You can generate a QR code safely by using a reputable, secure QR code generator so your code is unique, private, and does not send users to the wrong nefarious website. You can also customize your QR code with your brand colors and logos to enhance brand identity. Hackers struggle to replicate a custom QR code and will often avoid it. If you’re using QR codes to share private documents or exclusive content, set up your QR code with password protection. This way, users can only access the information after they’ve scanned the QR code and entered the correct password.

What is a Quishing Attack?

A quishing attack is a type of phishing attack that uses QR codes to lure victims into revealing sensitive information. The word "quishing" is a combination of "QR" and "phishing".

In a quishing attack, cybercriminals use a QR code to direct traffic to a fraudulent website. Once on the website, cybercriminals can use social engineering techniques to manipulate users into giving away personal information or financial details. Quishing attacks have become popular with cybercriminals because they can bypass traditional defenses like secure email gateways (SEGs), which scan for known malicious links and attachments. By embedding a QR code in an email, they often classify quishing emails as harmless since they cannot detect the embedded image.

Allow Defender for Office 365 to do its job

Before digging into identifying Quishing techniques in Microsoft Sentinel, it’s important to use the right tool for the job. Quishing is not unlike other phishing attacks. While Microsoft Sentinel can be used to tie Quishing attacks to other significant and potentially related occurrences in the environment, configure Microsoft Defender anti-phishing policies to help curb attacks before they happen.

See the following:

And, because Quishing is not unlike Phishing and the result of a successful attack is generally a malware event, follow the guidance already covered in this series including using threat intelligence and mitigation:

Once you have Defender configured correctly, Connect data from Microsoft 365 Defender to Microsoft Sentinel. This ensures that the Defender alerts can be consumed alongside the rest of the monitored environment, leading to a bigger picture when an attack is underway. For example, a Quishing event can potentially result in performance issues for PCs, servers, and network devices, and anomalous activity by user accounts.

Identifying Image Attachments in Email

With Microsoft 365 Defender connected to Microsoft Sentinel, image attachments can be detected through the EmailAttachmentInfo table Joined with the EmailUrlInfo table using something like the following KQL query:

let image_extensions = dynamic(["jpg", "jpeg", "png", "bmp", "gif"]);
EmailAttachmentInfo
| where FileType in (image_extensions)
| where FileName matches regex "[A-Z0-9]{9,10}.[A-Za-z0-9]+$"
| join EmailUrlInfo on TenantId
| where UrlLocation == "Attachment"
| distinct FileName, FileType, SenderFromAddress, RecipientEmailAddress, UrlDomain, Url

This query searches for the various image extensions in emails and specifically calls out those images that are attachments with a URL versus where the URL is just text in the email.

Using Microsoft Sentinel to catch the outliers ties the activity to the rest of the monitored environment.

BTW: After some testing, this query only works for Microsoft Sentinel because the Join column, TenantId, requires a Log Analytics workspace (see the Azure Monitor Logs reference). This query does not work for Advanced Hunting in Microsoft 365 Defender. I may come back to revisit that later.

Remediation

So, what’s next? What needs to happen to these emails with QR Codes detected?

Though for Advanced Hunting in Defender, Steven Lim has a written a post on LinkedIn describing how he is handling it. See: Defending against Quishing attack with Microsoft 365 Defender Advanced Hunting.

In the post, Steve describes sending detected emails to the user’s Junk email folder for later review, along with providing geo reporting on where the emails are coming from.

But a better option (back to letting Defender for Office 365 do its job) would be to use the built-in functions for Defender for Office 365 for:

Soft delete email messages
Block URL (time-of-click).

See: Remediation actions in Microsoft Defender for Office 365

EXTRA

Quish Me If You Can: Detect QR Code phishing emails in Exchange using computer vision

[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]