Adversaries may be using QR code phishing campaigns to trick users into accessing malicious content, leading to compromised credentials and risky sign-in attempts from untrusted devices. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft and lateral movement in phishing-based attacks.
KQL Query
let successfulRiskySignIn = materialize(AADSignInEventsBeta
| where Timestamp > ago(1d)
| where isempty(DeviceTrustType)
| where IsManaged != 1
| where IsCompliant != 1
| where RiskLevelDuringSignIn in (50, 100)
| project Timestamp, ReportId, IPAddress, AccountUpn, AccountObjectId, SessionId, Country, State, City
);
let suspiciousSignInUsers = successfulRiskySignIn
| distinct AccountObjectId;
let suspiciousSignInIPs = successfulRiskySignIn
| distinct IPAddress;
let suspiciousSignInCities = successfulRiskySignIn
| distinct City;
CloudAppEvents
| where Timestamp > ago(1d)
| where ActionType == "MailItemsAccessed"
| where AccountObjectId in (suspiciousSignInUsers)
| where IPAddress !in (suspiciousSignInIPs)
| where City !in (suspiciousSignInCities)
| join kind=inner successfulRiskySignIn on AccountObjectId
| where AccountObjectId in (suspiciousSignInUsers)
| where (Timestamp - Timestamp1) between (-5min .. 5min)
| extend folders = RawEventData.Folders
| mv-expand folders
| extend items = folders.FolderItems
| mv-expand items
| extend InternetMessageId = tostring(items.InternetMessageId)
| project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
id: 3131d0ba-32c9-483e-a25c-82e26a07e116
name: Suspicious sign-in attempts from QR code phishing campaigns
description: |
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices.
description-detailed: |
This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices in closer proximity and validates if the location from where the email item was accessed is different from the location of sign-in attempt.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
- AADSignInEventsBeta
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let successfulRiskySignIn = materialize(AADSignInEventsBeta
| where Timestamp > ago(1d)
| where isempty(DeviceTrustType)
| where IsManaged != 1
| where IsCompliant != 1
| where RiskLevelDuringSignIn in (50, 100)
| project Timestamp, ReportId, IPAddress, AccountUpn, AccountObjectId, SessionId, Country, State, City
);
let suspiciousSignInUsers = successfulRiskySignIn
| distinct AccountObjectId;
let suspiciousSignInIPs = successfulRiskySignIn
| distinct IPAddress;
let suspiciousSignInCities = successfulRiskySignIn
| distinct City;
CloudAppEvents
| where Timestamp > ago(1d)
| where ActionType == "MailItemsAccessed"
| where AccountObjectId in (suspiciousSignInUsers)
| where IPAddress !in (suspiciousSignInIPs)
| where City !in (suspiciousSignInCities)
| join kind=inner successfulRiskySignIn on AccountObjectId
| where AccountObjectId in (suspiciousSignInUsers)
| where (Timestamp - Timestamp1) between (-5min .. 5min)
| extend folders = RawEventData.Folders
| mv-expand folders
| extend items = folders.FolderItems
| mv-expand items
| extend InternetMessageId = tostring(items.InternetMessageId)
| project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Legitimate QR Code Usage in Internal Tools
Description: A user scans a QR code generated by an internal tool like Microsoft Teams or Google Meet to join a meeting or access a shared document.
Filter/Exclusion: Exclude sign-in attempts originating from Microsoft Teams or Google Meet by checking the User-Agent or Client IP associated with the sign-in event.
Scenario: Scheduled Job Using QR Code for Credential Harvesting
Description: An automated job, such as a PowerShell script or Python script, uses a QR code to simulate a phishing attempt for testing purposes.
Filter/Exclusion: Exclude events where the sign-in is associated with a scheduled job or system account (e.g., NT AUTHORITY\SYSTEM or svc_account) using the Event ID or Process Name.
Scenario: User Accessing a Document Attached via QR Code from a Trusted Device
Description: A user receives an email with a document attachment and scans a QR code to access a shared file via OneDrive or Google Drive.
Filter/Exclusion: Exclude sign-in attempts where the device is registered as trusted in Microsoft Intune or Google Workspace Admin Console, using the Device ID or Device Trust Status field.
Scenario: QR Code Used for Internal Authentication in a Multi-Factor Authentication (MFA) Flow
Description: A user authenticates using a QR code generated by Azure MFA or Google Authenticator as part of a legitimate MFA process.
Filter/Exclusion: Exclude sign-in attempts where the authentication method is QR code-based MFA by checking the Authentication Method field in the sign-in log.
**Scenario: QR Code Generated