Adversaries may use emails from non-prevalent senders containing QR codes to deliver malicious payloads, leveraging the unexpected nature of the communication to evade traditional detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or credential theft campaigns that rely on social engineering through QR code-based payloads.
KQL Query
let QRCode_emails = EmailUrlInfo
| where Timestamp > ago (2d)
| where UrlLocation == "QRCode"
| distinct Url,NetworkMessageId;
let nMIDs = QRCode_emails | distinct NetworkMessageId;
// Extracting sender of the email with QRCode:
let senders_NMIDs = EmailEvents
| where Timestamp > ago (2d)
| where DeliveryAction != "Blocked" // Only delivered or Junked emails are interesting
| where isnotempty(NetworkMessageId)
| where NetworkMessageId in (nMIDs)
| distinct Timestamp, NetworkMessageId, RecipientEmailAddress, SenderFromAddress, InternetMessageId, RecipientObjectId, ReportId;
let senders = senders_NMIDs
| distinct SenderFromAddress;
// Checking sender prevalence in the organization
let senderprevalence = EmailEvents
| where Timestamp between (ago(14d)..(now()-24h))
| where isnotempty(SenderFromAddress)
| where SenderFromAddress in (senders)
| summarize TotalEmailCount = count() by SenderFromAddress
| where TotalEmailCount > 1;
let prevalent_Sender = senderprevalence
| where isnotempty (SenderFromAddress)
| distinct SenderFromAddress;
// Checking where email sender was not prevalent.
let nMIDs_from_non_prevalent_Senders = senders_NMIDs
| where SenderFromAddress !in (prevalent_Sender)
| distinct NetworkMessageId;
let QRCode_emails_from_non_prevalent_senders = QRCode_emails
| where NetworkMessageId in (nMIDs_from_non_prevalent_Senders)
| join kind=inner senders_NMIDs on NetworkMessageId
| project Timestamp,Url,NetworkMessageId, InternetMessageId, RecipientObjectId,RecipientEmailAddress, ReportId;
QRCode_emails_from_non_prevalent_senders
id: 516046e8-a460-4f7b-86eb-421d3a9cdff1
name: Custom detection-Emails with QR from non-prevalent senders
description: |
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code
description-detailed: |
In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let QRCode_emails = EmailUrlInfo
| where Timestamp > ago (2d)
| where UrlLocation == "QRCode"
| distinct Url,NetworkMessageId;
let nMIDs = QRCode_emails | distinct NetworkMessageId;
// Extracting sender of the email with QRCode:
let senders_NMIDs = EmailEvents
| where Timestamp > ago (2d)
| where DeliveryAction != "Blocked" // Only delivered or Junked emails are interesting
| where isnotempty(NetworkMessageId)
| where NetworkMessageId in (nMIDs)
| distinct Timestamp, NetworkMessageId, RecipientEmailAddress, SenderFromAddress, InternetMessageId, RecipientObjectId, ReportId;
let senders = senders_NMIDs
| distinct SenderFromAddress;
// Checking sender prevalence in the organization
let senderprevalence = EmailEvents
| where Timestamp between (ago(14d)..(now()-24h))
| where isnotempty(SenderFromAddress)
| where SenderFromAddress in (senders)
| summarize TotalEmailCount = count() by SenderFromAddress
| where TotalEmailCount > 1;
let prevalent_Sender = senderprevalence
| where isnotempty (SenderFromAddress)
| distinct SenderFromAddress;
// Checking where email sender was not prevalent.
let nMIDs_from_non_prevalent_Senders = senders_NMIDs
| where SenderFromAddress !in (prevalent_Sender)
| distinct NetworkMessageId;
let QRCode_emails_from_non_prevalent_senders = QRCode_emails
| where NetworkMessageId in (nMIDs_from_non_prevalent_Senders)
| join kind=inner senders_NMIDs on NetworkMessageId
| project Timestamp,Url,NetworkMessageId, InternetMessageId, RecipientObjectId,RecipientEmailAddress, ReportId;
QRCode_emails_from_non_prevalent_senders
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: Scheduled Job Sending QR Code for Internal Asset Tagging
Description: A system administrator uses a script (e.g., PowerShell or Python) to generate QR codes for internal asset tagging and sends them via email to IT staff.
Filter/Exclusion: Exclude emails sent from known internal admin accounts (e.g., [email protected]) or apply a filter based on the sender’s domain (company.com) and the presence of a specific header like X-Internal-Use.
Scenario: Marketing Campaign with QR Code for Event Registration
Description: A marketing team sends an email campaign with a QR code linking to an internal event registration page. The sender is a legitimate marketing email address.
Filter/Exclusion: Exclude emails from the marketing team’s domain ([email protected]) or use a filter based on the subject line containing keywords like “Event Registration” or “QR Code for Event”.
Scenario: Automated Report Generation with QR Code for Access Control
Description: A security tool (e.g., Splunk, SIEM) generates a report with a QR code for secure access to internal systems, and the email is sent to a privileged user.
Filter/Exclusion: Exclude emails sent from the SIEM tool’s admin account or filter based on the presence of a specific header like X-Splunk-Report or X-Siem-Generated.
Scenario: User-Generated QR Code for Internal Collaboration
Description: An employee uses a tool like QR Code Generator (QRCode.ch) to create a QR code for sharing a document or link and sends it via email to a team member.
Filter/Exclusion: Exclude emails sent from user accounts with a specific role (e.g., [email protected]) or filter based on the presence of a custom header like `X