The Hunt for QR Phisher
By Steven Lim

The Hunt for QR Phisher

Steven Lim Steven Lim

Steven Lim

Favikon Top Cybersecurity / IT & Tech LinkedIn Creators | VP | Director | KQLWizard

发布日期: 2024年4月2日
+ 关注

Change History

  • Initial article published
  • Added Visualize QR-Phishing Attack with ADX Interactive Map
  • Added Hunting for QR Code AiTM Phishing

On 1st April Microsoft published the following blog describing the new features of Defender for Office 365 on QR phishing:

Hunting and responding to QR code-based phishing attacks with Defender for Office 365

https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730

This has been very exciting for me as I can now threat hunt threat actors who uses QR-code phishing and taking premptive steps to block their emails from entering into my O365 tenant. Now let start our threat hunt ...

1. Determine the most frequently used QR-Code for phishing

Using the below KQL we can figure out the most frequently used QR-code URL used. 

EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| where LatestDeliveryAction == "Blocked"
| where ThreatTypes contains "phish"
| summarize Count=count() by UrlDomain
| sort by Count desc

From below DefenderXDR, we can see that wap[.]lovetothenations[.]org is used most in our QR-code phishing.

Most frequently used QR-Code for phishing

From VirusTotal this domain wap[.]lovetothenations[.]org is also marked malicious by at least 10 security vendors.

VirusTotal for wap[.]lovetothenations[.]org

2. Determine the mail domains or IP addresses associated with QR Phisher

From the below KQL we can observe all SenderDisplay name is 财务部, meaning "Financial Department" and sender mail domains from xxx.cn. This gives a clear indication that the intent is for phishing.

Mail domains/IP associated with QR Phisher

Using the below KQL, we can find out the list of distinct email domains associated with the QR-code phishing. 

EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| where LatestDeliveryAction == "Blocked"
| where ThreatTypes contains "phish"
| where UrlDomain contains "wap.lovetothenations.org"
| distinct SenderMailFromDomain

领英推荐

Distinct Mail Domains with QR phishing

Now we can put the following email domains into our Exchange Online Transport rule to block any emails coming from:

qlfod.cn

eapcg.cn

zhaoshai.cn

hxunion.cn

The above will reduce several hundreds of QR-code phishing emails. With that said, repeating steps 1 & 2 consistently will definitely reduce the QR-code phishing into your O365 domain and overall reduce your end-user phishing attack surface area.

Visualize QR-Phishing Attack with ADX Interactive Map

Run the below KQL query in the DefenderXDR Advanced Hunting and export the result to IPaddress.csv 

EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
| where LatestDeliveryAction == "Blocked"
| where ThreatTypes contains "phish"
| project SenderIPv4

From ADX (Azure Data Explorer) import the IPaddress.csv into a newly created Table called QRPhish, run the below KQL query 

QRPhish
| extend ip_location=geo_info_from_ip_address(SenderIPv4)
| parse ip_location with "latitude\":" latitude ",\"longitude\":" longitude "}" blank

Click the "Edit Visual", under "Visual Type" select Map, set the latitude and longitude to read from the extended table column value.

ADX Visual Map with QR-Phishing Attack Locations

Hunting for QR Code AiTM Phishing

The targeted user scans the QR code, subsequently being redirected to a phishing page. Following user authentication, attackers steal the user's session token, enabling them to launch various malicious activities. When malicious actor attempted to replay the token, AAD Identity Protection raise a security alert under "Anomalous Token", linking this to AADUserRiskEvents and correlate against any email received by targeted user containing QR code. 

let AnomalousTokenRequestId=
SecurityAlert
| where AlertName == "Anomalous Token"
| mv-expand todynamic(Entities)
| project Entities
| extend RequestId = tostring(Entities.RequestId)
| distinct RequestId;
let UPNAnomalousToken=
AADUserRiskEvents
| where RequestId has_any(AnomalousTokenRequestId)
| where DetectionTimingType == "realtime"
| where RiskLevel == "medium" or RiskLevel == "high"
| where RiskState == "atRisk"
| distinct UserPrincipalName;
EmailUrlInfo
| where UrlLocation == "QRCode"
| join EmailEvents on NetworkMessageId
| where EmailDirection == "Inbound"
| where RecipientEmailAddress has_any(UPNAnomalousToken)

Do support this article if you find the information are useful and repost for sharing with the wider CyberDefender community. Thank you! ??

#DefenderXDR #QRCode #Phishing #Cyberdefense #KQL


Abby Z.

Runner ??♀? | Aspiring on BQ ??♀?, AI Security, AI Red Teamer and OSCP | AI Governace, GenAI & AI Assurance & Cloud & MARE | SheLeadsTech Regional Advocates ANZ| ISACA Auckland VP | Hackthebox NZ Auckland Team Member

11 个月

You are so fast to do a blog ??. Microsoft just published this blog on April 1 https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
回复
3 次回应
查看更多评论

要查看或添加评论,请登录

Steven Lim的更多文章

社区洞察

其他会员也浏览了