Emails containing URLs embedded in QR codes may indicate an adversary attempting to deliver malicious payloads through disguised or obfuscated links. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or credential theft campaigns that bypass traditional email filtering mechanisms.
KQL Query
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
id: 594fe5a1-53b6-466b-86df-028366c3994e
name: Emails delivered having URLs from QR codes
description: |
In this query, we hunt for inbound emails delivered having URLs from QR codes
description-detailed: |
In this query, we hunt for inbound emails delivered having URLs from QR codes using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Internal Documentation with Embedded QR Code Links
Description: Employees may embed QR codes in internal documentation (e.g., Confluence pages, SharePoint sites) that link to internal resources.
Filter/Exclusion: Exclude emails from internal domains (e.g., @example.com) or filter by sender using a regex pattern for internal email addresses.
Scenario: Automated System Health Checks Using QR Code URLs
Description: IT systems may use QR codes to generate URLs for automated health checks or status pages (e.g., Nagios, Zabbix). These URLs are embedded in emails sent by monitoring tools.
Filter/Exclusion: Exclude emails sent by known monitoring tools (e.g., nagios@example.com, zabbix@example.com) or filter based on the subject line containing terms like “health check” or “status update”.
Scenario: Marketing Campaigns with QR Code Redirects
Description: Marketing teams may use QR codes in email campaigns that redirect to landing pages or tracking URLs. These URLs are legitimate but may trigger the rule due to the presence of a QR code.
Filter/Exclusion: Exclude emails from marketing domains (e.g., @marketing.example.com) or filter based on the presence of campaign-specific headers or tags (e.g., X-Marketing-Campaign: QRCampaign2024).
Scenario: Scheduled Job Outputs with QR Code Links
Description: Scheduled jobs (e.g., in Jenkins, Airflow) may generate reports or logs that include QR codes linking to internal tools or dashboards. These emails are part of normal operations.
Filter/Exclusion: Exclude emails sent by job schedulers (e.g., jenkins@example.com, airflow@example.com) or filter by the presence of job IDs or timestamps in the email body.
**Scenario: User-Generated