Emails containing QR codes from non-prevalent senders may indicate an attempt to deliver malicious payloads through encoded URLs, as adversaries often use QR codes to bypass traditional email filtering. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or credential theft campaigns that evade standard detection mechanisms.
KQL Query
let senderprevalence =
EmailEvents
| where Timestamp between (ago(7d)..(now()-24h))
| where isnotempty(SenderFromAddress)
| summarize TotalEmailCount = dcount(NetworkMessageId) by SenderFromAddress
| where TotalEmailCount > 1;
let prevalent_Sender = senderprevalence
| where isnotempty (SenderFromAddress)
| distinct SenderFromAddress;
let QR_from_non_prevalent =
EmailEvents
| where EmailDirection == "Inbound"
| where Timestamp > ago(1d)
| where SenderFromAddress !in (prevalent_Sender)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| distinct SenderFromAddress,Url,NetworkMessageId;
QR_from_non_prevalent
id: f708c866-073a-4107-a60b-ba6f86e54caa
name: Emails with QR codes from non-prevalent sender
description: |
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders
description-detailed: |
In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let senderprevalence =
EmailEvents
| where Timestamp between (ago(7d)..(now()-24h))
| where isnotempty(SenderFromAddress)
| summarize TotalEmailCount = dcount(NetworkMessageId) by SenderFromAddress
| where TotalEmailCount > 1;
let prevalent_Sender = senderprevalence
| where isnotempty (SenderFromAddress)
| distinct SenderFromAddress;
let QR_from_non_prevalent =
EmailEvents
| where EmailDirection == "Inbound"
| where Timestamp > ago(1d)
| where SenderFromAddress !in (prevalent_Sender)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| distinct SenderFromAddress,Url,NetworkMessageId;
QR_from_non_prevalent
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: A system administrator sends a QR code containing a URL to a team for a scheduled maintenance task.
Filter/Exclusion: Exclude emails from the admin’s email address or domain using a filter like from:admin@company.com or from:*.admin.company.com.
Scenario: A marketing team uses a QR code in a campaign to direct users to a company’s internal portal for onboarding.
Filter/Exclusion: Exclude emails from the marketing team’s sender group using from:marketing@company.com or from:marketing-team@company.com.
Scenario: A developer shares a QR code with a colleague to test a new internal tool, which contains a URL to a local development server.
Filter/Exclusion: Exclude emails from the developer’s email address or use a filter like from:dev-team@company.com or from:*.dev.company.com.
Scenario: A support team sends a QR code with a link to a company’s internal knowledge base for quick access.
Filter/Exclusion: Exclude emails from the support team’s sender group using from:support@company.com or from:*.support.company.com.
Scenario: A scheduled job sends an automated email with a QR code to a user, containing a URL to a company’s internal documentation portal.
Filter/Exclusion: Exclude emails sent by the job’s service account using from:job-scheduler@company.com or from:*.scheduler.company.com.