chat
expand_more

Scan to Steal: QR Code Phish Masquerades as HR Benefits Update

Employee handbooks with QR Codes bypass SEGs.

NEW Piotr Thumbnail 1x1 Feb 25

What is the attack?

  • Phishing Email: A personalized phishing campaign targeted employees with a fake "Updated Employee Handbook" email.

  • Personalised Document: A Word file mimicking a handbook, including red-text sections outlining fake benefit changes and personalized employee info.

  • QR Code: A QR code instructs the recipient to “access the revised benefits online,” leading to a credential phishing page.

Why did it get through?

  • Benign Attachments :The attack used a benign Word document with no macros or embedded scripts to bypass file-based detection.

  • QR Codes: Traditional email security scans rely on detecting URLs in email bodies, but the phishing link is embedded inside a QR code, avoiding detection.

  • URL Crawling/Analysis Protection: The added Captcha functionality limits automated link crawling and URL analysis features, increasing the difficulty for automated detection.

What is required to solve for this attack?

  • Behavioral Analysis: Abnormal’s Behavioral AI flags never-before-seen senders, unusual email content, and URLs as anomalies that enable the detection of novel attacks.

  • Content Analysis and Natural Language Processing: Abnormal understands the email's content, recognizing the urgency and financial implications as indicators of a financial themed attack.