Inbound emails containing QR codes with URLs and suspicious keywords in the subject line may indicate phishing attempts designed to deliver malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential theft or malware distribution vectors.
KQL Query
let SubjectKeywords = ()
{pack_array("authorize", "authenticate", "account", "confirmation", "QR", "login", "password", "payment", "urgent", "verify");};
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where Subject has_any (SubjectKeywords)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
id: 706b711a-7622-40f1-9ebb-331d1a0ff697
name: Emails with QR codes and suspicious keywords in subject
description: |
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject
description-detailed: |
In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject using Defender for Office 365 data.
Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- EmailEvents
- EmailUrlInfo
tactics:
- InitialAccess
relevantTechniques:
- T1566
query: |
let SubjectKeywords = ()
{pack_array("authorize", "authenticate", "account", "confirmation", "QR", "login", "password", "payment", "urgent", "verify");};
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Delivered"
| where Subject has_any (SubjectKeywords)
| join EmailUrlInfo on NetworkMessageId
| where UrlLocation == "QRCode"
version: 1.0.0 | Sentinel Table | Notes |
|---|---|
EmailEvents | Ensure this data connector is enabled |
EmailUrlInfo | Ensure this data connector is enabled |
Scenario: A system administrator sends a scheduled report via email that includes a QR code for internal documentation access.
Filter/Exclusion: Exclude emails sent by the system administrator’s email address or from the “Reports” scheduled job in Microsoft Exchange or Google Workspace.
Scenario: A marketing team sends a campaign email with a QR code linking to a legitimate landing page, and the subject line includes a suspicious-looking keyword like “Verify Your Account” as part of a phishing simulation.
Filter/Exclusion: Exclude emails from the marketing team’s domain or those marked as “Phishing Simulation” in Microsoft Defender for Office 365 or Google Safe Browsing.
Scenario: An IT helpdesk sends an email with a QR code to a user’s device for remote support, and the subject line includes a keyword like “Support Request” or “Troubleshoot Now”.
Filter/Exclusion: Exclude emails sent from the helpdesk team’s email group or those associated with the “Remote Support” service in ServiceNow or Zendesk.
Scenario: A developer uses a QR code in an internal documentation tool to link to a code repository, and the subject line includes a keyword like “Code Review” or “Pull Request”.
Filter/Exclusion: Exclude emails sent from the development team’s email group or those associated with the “Code Repository” tool in GitHub or GitLab.
Scenario: A customer service representative sends an email with a QR code to a customer’s mobile app, and the subject line includes a keyword like “Confirm Your Subscription” or “Account Update”.
Filter/Exclusion: Exclude emails sent from the customer service team’s email group or those associated with the “Customer Portal” in Salesforce or Zendesk.