Inbound emails containing QR code URLs may indicate an adversary attempting to deliver malicious payloads through encoded links. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or credential theft campaigns leveraging QR codes for obfuscation.
KQL Query
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| summarize dcount(NetworkMessageId) by bin(Timestamp, 1d)
| render timechart
id: f6354c94-3a95-4235-8530-414f016a7bf6
name: Inbound emails with QR code URLs
description: |
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days
description-detailed: |
In this query, we summarize volume of inbound emails with QR code URLs in last 30 days using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| summarize dcount(NetworkMessageId) by bin(Timestamp, 1d)
| render timechart
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Automated QR Code Generation for Internal Documentation
Description: A tool like Microsoft Power Automate or Zapier is used to generate QR codes for internal documentation links, which are then embedded in emails sent by the ServiceNow or Jira system.
Filter/Exclusion: Exclude emails sent by known internal tools (e.g., sender = "service-now@company.com" or sender = "jira@company.com").
Scenario: Scheduled Job for QR Code Distribution
Description: A scheduled job in AWS Lambda or Azure Functions generates QR codes for a list of URLs and sends them via SendGrid or Amazon SES to internal users.
Filter/Exclusion: Exclude emails with a specific subject line (e.g., Subject contains "QR Code Distribution"), or filter by email sender (e.g., sender = "lambda-distribution@company.com").
Scenario: QR Code Used in Marketing Campaigns
Description: Marketing teams use HubSpot or Salesforce Marketing Cloud to send emails with QR codes linking to landing pages or promotional content.
Filter/Exclusion: Exclude emails from the marketing department (e.g., sender = "marketing@company.com" or sender contains "campaigns").
Scenario: QR Code Embedded in Internal Support Tickets
Description: Support teams use Zendesk or Freshdesk to send emails with QR codes linking to internal support portals or knowledge base articles.
Filter/Exclusion: Exclude emails sent by support@company.com or support-team@company.com, or filter by email subject (e.g., Subject contains "Support Ticket QR Code").
Scenario: QR Code Used for Internal Training Materials