QR codes: We've all seen them, but did you know they are one of the fastest growing attack vectors right now?
Why are they so effective?
1. They are traditionally hard to detect and block because they are images or sometimes even images embedded within images that traditional email filtering cannot analyze.
2. They prompt a victim to use their personal mobile device which is normally far less protected than a corporate laptop.
3. They can open a phishing website that can be hard to distinguish from a legitimate site on a small mobile screen.
But there are solutions to combat this threat.
Microsoft just announced that Defender for Office now has the capability to detect and block malicious QR codes in emails. One of the ways it does this is by extracting the URL from the code and checking against known-bad web addresses or even opening the URL in a sandbox to confirm that it is malicious.
I've included the link to Microsoft's announcement below.
This is a big step forward, but what about QR codes that are not in emails? How can you protect your users and your organization from these attacks?
What if it's a QR code on a flyer on their windshield and they use their personal phone to open it?
A few ways to minimize the risk:
1. User training. This is not an end-all solution, but a necessary part.
2. MFA with number matching. If the user accidentally divulges their credentials, MFA with number matching makes it significantly harder for the attacker to gain access to the user's account.
3. Conditional access. If users can only access their corporate resources on company-managed devices, the attacker is once again cut off at the knees.
4. Security monitoring. This is a good overarching solution to catch anything that falls through the cracks. Impossible travel alerts, anomalous user behavior, brute force attacks, etc. can all indicate a compromised account. If no one's watching, the attackers have as much time as they need to break in.
What are you doing to block the threat of malicious QR codes?
As always, I'm happy to chat if you have questions or need some guidance. No strings attached.