Adversaries may use malicious emails containing QR codes to deliver payloads or redirect users to phishing sites, leveraging the QR code’s ability to bypass traditional email filtering. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and disrupt QR code-based phishing campaigns before they cause significant damage.
KQL Query
EmailUrlInfo
| where UrlLocation == "QRCode"
| join kind=inner (
EmailEvents
| where isnotempty(ThreatTypes)
| project NetworkMessageId, ThreatTypes
) on NetworkMessageId
| summarize count() by ThreatTypes
| render piechart
id: 13260191-fb10-4a36-9ca1-2bbc0aaf77d0
name: Malicious Emails with QR code Urls
description: |
Visualises emails containing QR code URLs that have been detected as malicious, helping analysts identify QR code-based attack campaigns.
Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailUrlInfo
- EmailEvents
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
EmailUrlInfo
| where UrlLocation == "QRCode"
| join kind=inner (
EmailEvents
| where isnotempty(ThreatTypes)
| project NetworkMessageId, ThreatTypes
) on NetworkMessageId
| summarize count() by ThreatTypes
| render piechart
version: 1.0.0| Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Legitimate QR Code in Marketing Email
Description: A marketing team sends an email with a QR code linking to a trusted landing page for a product launch.
Filter/Exclusion: Exclude emails from known marketing domains (e.g., marketing@company.com) or use a custom rule to exclude QR codes from specific URLs (e.g., https://launchpad.company.com/*).
Tool/Task: Configure a custom email filtering rule in Microsoft Defender for Office 365 or use a regex-based exclusion in the detection logic.
Scenario: Internal QR Code for Document Access
Description: An internal team uses a QR code to share access to a shared document or file server, which is hosted internally.
Filter/Exclusion: Exclude internal URLs (e.g., http://fileserver.internal.company.com/*) or use IP address filtering to exclude internal network ranges.
Tool/Task: Configure IP-based exclusion in Defender for Office 365 or use a custom rule to bypass QR code scanning for internal URLs.
Scenario: Scheduled Job Generating QR Code for Reporting
Description: A scheduled job runs daily to generate QR codes for internal reporting purposes, which are embedded in emails sent to stakeholders.
Filter/Exclusion: Exclude emails sent from a specific service account (e.g., reporting-job@company.com) or use a time-based filter to exclude emails sent during scheduled job execution.
Tool/Task: Use a custom rule in Defender for Office 365 to exclude emails from the job account or set up a time-based exclusion in the detection logic.
Scenario: QR Code in a Training Email for Phishing Simulation
Description: A security team sends a phishing simulation email with a QR code that links to a controlled phishing page for training purposes.
Filter/Exclusion: