A large phishing campaign that’s been active since May has been targeting an array of companies with malicious QR codes in attempts to steal Microsoft account credentials. Notably, researchers from the security firm Cofense observed the attacks against “a major Energy company based in the US.” The campaign also targeted organizations in other industries, including finance, insurance, manufacturing, and tech. Malicious QR codes were used in nearly a third of the emails reviewed by researchers. QR codes have disadvantages in phishing, since victims need to be compelled to scan them for the attack to progress. But they make it more difficult for victims to evaluate the trustworthiness of the URL they’re clicking on, and it’s more likely that emails containing a QR code will reach their target, because it’s more difficult for spam filters to assess QR images included in an attachment like a PDF.
