Microsoft Touts Defender For Office 365 As QR Code Phishing Attacks Surge

GenAI is helping push the surge, some researchers say.

Last month, QR code stickers started popping up on parking meters in Lynbrook, N.Y. The stickers directed motorists to use the QR code to pay for parking.

There was one issue: Lynbrook doesn’t use QR codes as a way to pay for parking, police there said.

Instead, the stickers were part of a scam to get people to connect to a malicious website, authorities said.

QR code phishing attacks (sometimes referred to as “quishing” are on the rise. Between 2021 and 2023 there has been a 433 percent increase in QR code scans, according to a research report by the Insikt Group for Recorded Future.. With this increase came a surge in QR scams, the report revealed.

In addition, the advent of generative AI has helped fuel QR code phishing. “LLMs can allow threat actors to generate approximately 1,000 phishing emails that are nearly as convincing as their humanly crafted counterparts in under two hours for as little as $10. On a related note, researchers associated a reported 1,265 percent increase in phishing attacks with the release of tools such as ChatGPT,” the report noted.

Now Microsoft is touting its Defender for Office 356 as a way to combat QR code attacks. Defender has blocked approximately 1.5 million QR code phishing emails per day, and over 18 million unique QR code phishing emails per week, according to a Microsoft Security blog post.

Microsoft outlined how Defender can thwart QR code phishing:

Insikt’s report includes more information on QR code phishing:

“QR code generator services represent another avenue of third-party risk for you to manage,” research firm Forrester cautioned in a blog post.. Forrester suggests also ensuring any QR codes developed for your business are secured from being exploited by hackers.

“You must mitigate the risk of QR codes from when they’re created through when a user engages with them to their extended lifespan on social media and elsewhere,” Forrester advised. Some ways organizations can do this: QR codes don’t have to be black and white, instead, Forrester suggests incorporating your brand’s colors to make it harder for scammers to alter or replace your QR codes.

Forrester further advised organizations to create “an easy process for employees to report any suspicious QR codes at customer-facing locations to enable a prompt investigation.