Cybersecurity intelligence firm Cofense identified a large-scale phishing campaign that successfully bypassed advanced security measures, including Microsoft Defender for Office 365. The attack utilized older, established tactics, specifically QR codes and malicious HTML attachments, to target nearly 8,000 employees at a major U.S. energy company.

The phishing emails were delivered to the inboxes of 7,998 out of 8,000 employees at the targeted organization. Research confirmed that Microsoft Defender for Office 365, the company’s secure email gateway (SEG), did not block or quarantine the malicious messages, demonstrating the continued effectiveness of basic phishing techniques against modern defenses.

Anatomy of the Phishing Campaign

The attack began with emails containing a simple lure, instructing recipients to “review this document.” Instead of a traditional link, the email body contained a PNG image of a QR code. This method is effective because many email security systems are designed to scan for malicious URLs in text but are not equipped to analyze images for QR codes.

Scanning the QR code with a mobile device redirected the user to a malicious HTML attachment. Once opened in a browser, this file executed obfuscated JavaScript code. This code then redirected the user to a fraudulent website designed to look exactly like a Microsoft login page. The page’s sole purpose was to steal the user’s account credentials when they attempted to log in to view the supposed document.

Bypassing Modern Security Protocols

The multi-step nature of this attack was key to its success in bypassing security filters. By embedding the initial malicious destination within a QR code, the attackers evaded direct URL scanning by the SEG. The subsequent use of an HTML attachment with hidden JavaScript provided another layer of obfuscation that prevented automated systems from identifying the final malicious landing page.

The Cofense report detailed that the attackers used an established technique involving an HTML redirector. This method, while not new, proved highly successful in this campaign. The high delivery rate underscores a significant gap in the ability of some advanced security tools to defend against phishing attacks that leverage simple but evasive delivery mechanisms like QR codes and local HTML files.

Source: https://www.darkreading.com/cyberattacks-data-breaches/advanced-security-phishing-tactics