Blog

Novel QR Code Phishing Campaign Steals M365 Credentials via Microsoft Sway

QR codes are used for a wide range of purposes, including marketing, communications, and even in restaurants to direct diners to menus, and with the popularity of QR codes soaring it should be no surprise that they are being used by cybercriminals in their phishing campaigns. QR codes are similar to the bar codes on products. They are black and white images that contain information, which for QR codes is commonly a URL for a web page or hosted file. A camera on a smartphone is used to scan the code, which will detect the URL, and the user can click that URL to visit the resource. It is far more convenient than entering a URL on a mobile phone keypad.

The use of QR codes has been growing considerably. According to a 2024 report from QR Tiger on QR Code trends, there has been 47% year-over-year growth in QR code usage. The convenience of QR codes and their growing popularity have not been lost on cybercriminals who are using QR codes to direct unsuspecting users to malicious websites that host malware or are used to phish for credentials. As an added advantage, many traditional security solutions are unable to assess the URLs in QR codes and fail to block access to malicious sites.

QR code phishing (aka quishing) may involve QR codes sent via email. Instead of embedding a hyperlink in an email, a QR code is used to evade email security solutions. A novel campaign has recently been detected by security researchers at Netskope Threat Labs that uses QR codes to steal Microsoft 365 credentials. In this campaign, a Microsoft 365 product called Microsoft Sway is abused to host the spoofed web pages.

Microsoft Sway is used for creating newsletters and presentations and was first released by Microsoft under the M365 product suite in 2015. Since Microsoft Sway is a legitimate Microsoft cloud-based tool, a link to a Sway presentation is unlikely to be identified as malicious by security solutions, as Sway is a trusted platform. The link to the Sway presentation may be distributed in emails, SMS messages, and instant messenger platforms, or can be added to websites in an iframe. A QR code could even be used to direct a user to the Sway presentation.

That presentation includes a QR code that encodes a URL for a website that masquerades as a legitimate Microsoft site. If scanned, the user is directed to a web page where they are asked to enter their Microsoft 365 credentials. What makes this campaign even harder for users to identify is the transparent phishing technique used.  Entering credentials will log the user into the legitimate site, and at the same time credentials are captured along with any MFA code, which are relayed to the attacker. The credentials and MFA code are then used to hijack the account.

TitanHQ offers several cybersecurity solutions that provide layered protection against advanced phishing attempts, including quishing. Since these scams target individuals, it is important to raise awareness of the threat by providing security awareness training to the workforce. The SafeTitan platform from TitanHQ includes a wealth of training content, including modules for raising awareness of quishing. The platform also includes a phishing simulator with quishing templates to test whether employees scan QR codes and visit the websites they encode.

Regardless of how a URL is communicated to a member of the workforce, it is possible to block access to a malicious URL with a DNS filter. TitanHQ’s DNS filter, WebTitan, blocks access to all known malicious websites and is constantly updated with the latest threat intelligence from a global network of users. As soon as a malicious URL is detected, the solution is updated and all WebTitan users are protected. QR code may direct users to websites where malware is downloaded. WebTitan can be configured to block file downloads from the internet by file type.

QR codes are commonly sent via email, so an advanced email security solution is required. SpamTitan is a cutting-edge spam filtering service that uses advanced detection techniques, including AI and natural language processing to identify and block these threats, even zero-minute phishing attempts. In contrast to many spam filters for incoming mail, SpamTitan can detect novel phishing and quishing attempts. Finally, businesses can add another layer of protection through PhishTitan, TitanHQ’s advanced anti-phishing solution for Microsoft 365 which blocks attempts to visit phishing sites and allows security teams to easily remediate phishing attempts across their entire email system.

Phishers are constantly developing new tactics and techniques for distributing malware and stealing credentials, but with TitanHQ solutions in place, you will be well protected against these rapidly evolving threats. Talk with TitanHQ’s cybersecurity experts today for more information on staying one step ahead of cybercriminals and keeping your company safe.

Surge in FakeBat Malware Infections via Malvertising Campaigns

A malvertising campaign is behind a surge in FakeBat malware infections, according to researchers at Google’s Mandiant. FakeBat is a malware loader that is offered to other cybercriminals under the malware-as-a-service model. Once infected with FakeBat, system information is gathered and exfiltrated to its command-and-control server, and if the victim is of interest to the threat actor’s business partners, they can use FakeBat to download their own payloads onto an infected device. FakeBat, also known as EugenLoader, has fast become a major player among cyber threats with infections increasing significantly in recent months due to the ability of the malware to evade security solutions and hide the additional payloads it delivers.

FakeBat malware is primarily distributed via malvertising and drive-by downloads. Malvertising is the name given to malicious adverts that trick Internet users into downloading malicious software. Malicious adverts are created on online advertising platforms such as Google Ads, and the adverts then appear prominently at the top of search engines for certain search terms. They often catch unwary Internet users who fail to check the URL they are directed to after clicking an advert. Google has numerous safeguards in place to thwart attempts by threat actors to upload malicious adverts to its platform, but threat actors can bypass those security controls. Malicious adverts may also appear in the third-party ad blocks that many website owners add to their sites to generate additional revenue. The domains used for these scams can be convincing, as they often closely resemble the domain name of the legitimate software provider.

Drive-by downloads of malware can occur on many different websites, including attacker-owned domains and compromised sites. Websites may be created for the sole purpose of delivering malware, with black hat search engine optimization (SEO) techniques used to get web pages to appear high in the search engine listings for certain search terms. Cybercriminals may also compromise legitimate websites by exploiting vulnerabilities and then create new web pages on those sites for malware distribution. These sites often contain JavaScript that runs when a user lands on the site and generates a fake security warning, such as an alert that malware has been detected on their device. Software is offered to remove the malware, but downloading the installer will result in malware being installed.

These approaches are often used to target company employees, with adverts and malicious web pages offering popular software downloads. The adverts and websites are carefully crafted to make the user believe they are downloading the genuine software they seek. Oftentimes, the adverts and websites provide legitimate software; however, the installers also side-load malware. These malware infections often go unnoticed since the user gets the software they are expecting.

The malvertising campaigns that deliver FakeBat malware use signed MSIX installers that impersonate popular software products such as WinRAR, the password software KeePass, the gaming platform Steam, the video conferencing platform Zoom, and web browsers such as Brave. Malware known to be delivered by FakeBat includes information stealers (e.g. Redline Stealer, Lumma Stealer), banking trojans (e.g. IcedID), Remote access Trojans (e.g. SectopRAT), and more.  The threat actor is also known to use phishing to distribute FakeBat malware.

Businesses should ensure they take steps to prevent malware infections via malvertising and drive-by downloads, as a single mistake by an employee can result in a costly malware infection and data breach and could potentially also lead to a ransomware attack and significant data loss.

TitanHQ offers cybersecurity solutions that offer multiple layers of protection against malware infections. Since these campaigns trick employees into installing malware, one of the best defenses is to provide comprehensive security awareness training. TitanHQ’s SafeTitan security awareness training platform makes it easy for businesses to improve the security awareness of their workforce by eradicating risky behaviors and teaching employees how to recognize, avoid, and report threats. The platform also includes a phishing simulator to test employees’ skills at identifying phishing attempts with training content automatically generated in response to simulation failures.

Technical defenses are also important to prevent employees from visiting malicious websites. The WebTitan DNS filter is a powerful tool for carefully controlling access to websites. WebTitan blocks access to all known malicious sites and can be configured to block certain file downloads from the Internet, such as MSIX installers. TitanHQ’s SpamTitan cloud-based spam filter and the PhishTitan anti-phishing solution provide cutting-edge protection against phishing attempts. The engine that powers these solutions has been independently tested and demonstrated to block 100% of known malware. SpamTItan also includes email sandboxing for identifying malware by its behavior, in addition to twin antivirus engines for blocking known malware, and machine learning capabilities to detect novel phishing threats.

To find out more about improving your defenses against malvertising, drive-by downloads, phishing, and other cyber threats, give the TitanHQ team a call. All TitanHQ solutions are also available on a free trial to allow you to put them to the test before making a purchase decision.

Is Your Business Protected Against Internal Phishing Attempts?

If a phishing attempt is successful and a threat actor gains access to an employee’s email account, it is common for the compromised email account to be used for internal phishing. Some malware variants also allow threat actors to hijack email accounts and send malware internally, adding a copy of the malware to a message thread to make it appear that a file was attached in response to a past email conversation.

There are several different scenarios where these types of attacks will occur such as business email compromise attacks to gain access to an email account that can be used for the scam – a CEO, executive, HR, or IT department account for example; to distribute malware extensively to compromise as many accounts as possible; to gain access to multiple email accounts, or to compromise multiple accounts to gain access to sensitive data.

In industries where data breach reporting is mandatory, such as in healthcare in the United States, email account breaches are regularly reported where unauthorized activity is detected in a single email account, and the subsequent investigation reveals multiple employee email accounts have been compromised through internal phishing.

Internal phishing attempts are much harder to identify than phishing attempts from external email accounts. Even when email security solutions incorporate outbound scanning, these phishing attempts are often not recognized as malicious as the emails are sent from a trusted account. The recipients of these emails are also much more likely to trust an internal email than an external email from an unknown sender and open the email, click a link, or open a shared file.

Attackers may also spoof an internal email account. It is easy to find out the format used by a company for their emails, and names can be found on professional networking sites. A good email security solution should be able to identify these spoofed emails, but if they arrive in an inbox, an employee may be fooled into thinking that the email is a genuine internal email.

It is important for businesses to take steps to combat internal phishing as it is a common weak point in email defenses. Unfortunately, there is no single technical control that can protect against these phishing attempts. What is required is a combination of measures to provide layered protection. With layered security, if one measure fails to protect against a threat, others are in places that can thwart the attempt.

The best place to start is with a technical measure to identify and block these phishing threats. Spam filter software naturally needs to have inbound as well as outbound scanning; however, standard checks such as reputation scans are not enough. An email security solution should have AI and machine learning capabilities for assessing how emails deviate from standard emails sent internally and for in-depth analysis of message content. Link scanning is also important, with URL rewriting to identify the true destination of embedded URLs, OLE detection, and email sandboxing to identify malicious attachments – not just malware but also malicious links in email attachments.

Security awareness training is vital as employees may not be aware of threats they are likely to encounter. Security awareness training should include internal phishing and employees should be made aware that they should not automatically trust internal emails as they may not be what they seem. Security awareness training should be accompanied by phishing simulations, including simulated phishing attempts from internal email accounts.  These will give employees practice in identifying phishing and security teams will learn how susceptible the workforce is and can then take steps to address the problem.

Multi-factor authentication is required. If a phishing attempt is not identified by either a security solution or the employee, and the employee responds and divulges their credentials, they can be used by the threat actor to access the employee’s email account. Multi-factor authentication protects against this by requiring another factor – in addition to a password – to be provided. The most robust form of MFA is phishing-resistant MFA, although any form of MFA is better than none.

TitanHQ can help protect against phishing attacks of all types through the SpamTitan cloud-based spam filtering service, the PhishTitan anti-phishing solution for M365, and the SafeTitan Security awareness training and phishing simulation platform.

The engine that powers SpamTitan and PhishTitan has an exceptional phishing catch rate, including internal phishing attempts. The engine incorporates AI- and machine learning algorithms that can detect novel phishing attempts and emails that deviate from the normal emails sent internally, as well as OLE detection, URL rewriting, and email sandboxing for catching novel malware and phishing threats.

The SafeTitan Security awareness training platform includes an extensive library of training content to teach security best practices, eradicate risky behaviors, and train employees on how to recognize an extensive range of threats. The phishing simulator makes it easy to conduct internal phishing tests on employees to test knowledge and give employees practice at identifying email threats. Usage data shows the platform can reduce employee susceptibility to phishing attempts by up to 80%.

For more information about improving your phishing defenses, speak with TitanHQ today.

Common Phishing Examples That Employees Fall For

Phishing is the name given to a type of cyberattack where the threat actor uses deception to trick an individual into taking an action that benefits the threat actor. A lure is used to get the targeted individual to respond and these attacks typically create a sense of urgency. Urgency is required as phishers need users to act quickly rather than stop and think about the request. The faster the response, the less time there is to identify the scam for what it is. There is often a threat to help create a sense of urgency, such as negative consequences if no action is taken.

Phishing can take place over the phone, SMS, and instant messaging platforms, but email is the most common way of getting the phishing lure in front of an employee. It is now common for businesses to provide security awareness training to the workforce to raise awareness of phishing threats and to have a spam email filter in place to detect and quarantine these malicious emails before they reach inboxes; however, even with robust defenses in place, some malicious emails will arrive in inboxes and employees are often tricked into responding.

Security awareness training programs teach employees to stop and think before taking any request in an email, which is the last thing phishers want the recipients of their emails to do. One of the ways they can get a quick response is to make the recipient believe that the email has been sent from an internal email account, either through spoofing or by using a compromised internal email account. Some of the lures used in phishing attempts that the majority of employees will at least open and read, are detailed below.

HR Themed Phishing Emails

One of the ways that phishers increase the chance of a user responding is to use Human Resources (HR)-themed lure, as any communication from the HR department is usually taken seriously by employees. These phishing attempts include the types of notifications that HR departments often send via email, examples of which include:

  • Changes to working hours
  • Updates to working practices
  • Dress code changes
  • Upcoming training/cybersecurity training sessions
  • Annual leave notifications
  • Payroll information requests
  • Tax matters
  • Healthcare and wellness benefit updates
  • Employee rewards programs
  • Notifications about disciplinary procedures

IT Department Notifications

Notifications from the IT department are also common as employees typically open these emails and act quickly. These include:

  • Internet activity reports
  • Security alerts
  • The discovery of unauthorized software
  • Changes to access rights
  • Requires software installations

Notifications from Board Members

Phishers often impersonate the CEO or other executives, as they know that employees will want to respond quickly and are unlikely to question requests from these authority figures. CEOs are commonly impersonated in business email compromise attacks, where the threat actor tries to get an employee to make a wire transfer to their account, purchase gift cards, or divulge sensitive information. These emails may include a hyperlink to a website where the user is told they must enter their login credentials, a hyperlink to a website where a file download takes place, or the emails may include an attachment. Common file types used in these email campaigns include PDF files, HTML attachments, Office files, and compressed files. These files may contain malware or malicious scripts, or may be used to hide information from spam filtering software. For example, PDF files are commonly used that contain malicious links. By adding the link to the PDF file, there is less chance that spam filtering software will find and follow the link.

How to Defend Against These Common Email Threats

Defending against email attacks requires advanced anti spam software and regular security awareness training for the workforce.  SpamTitan from TitanHQ is an advanced cloud-based anti-spam service that performs comprehensive checks for spam and malicious emails, including an inbound spam filter and outbound filtering with data loss prevention. SpamTitan performs reputation checks of the sender’s domain and email account, recipient verification, anti-spoofing checks, and alias recognition, and allows geoblocking to prevent the delivery of emails from certain locations (overseas, for instance).

SpamTitan also incorporates extensive content filtering mechanisms, including rewriting URLs to identify the true destination, URL checks to identify malicious content, anti-phishing measures including machine learning algorithms to detect suspicious content that deviates from the standard emails typically received, Bayesian analysis to identify spam and phishing, OLE detection, dual antivirus engines, and email sandboxing. Sandboxing is key to blocking malware threats, including previously unseen malware. With SpamTitan in place, the vast majority of threats will not arrive in inboxes. In recent independent tests, SpamTitan had a 99.99% spam detection rate, a 99.98% phishing detection rate, and a 100% malware detection rate, with zero false positives.

TitanHQ also offers a comprehensive security awareness training platform called SafeTitan. SafeTitan makes it easy for businesses to create and automate security awareness training programs for the workforce, and tailor programs for different departments and user groups. The content is fun and engaging and is delivered in modules of more than 10 minutes, which makes security awareness training easy to fit into busy workflows. SafeTitan also includes a phishing simulator for assessing the effectiveness of training and for giving employees practice at identifying phishing attempts, including the types of phishing attempts mentioned in this article that often fool employees.

SpamTitan and SafeTitan, like all TitanHQ solutions, are easy to implement, use, and maintain, and are available on a free trial. For advice on improving cybersecurity at your business and for further information on TitanHQ solutions, call the team today and take the first step toward improving your security posture.

When Was the Last Time You Updated Your Security Awareness Training Program?

Do you provide security awareness training to your workforce? If so, when was the last time you updated the content? Chances are you are not keeping your employees sufficiently up to date on the rapidly changing tactics, techniques, and procedures used by cybercriminals which means your training will not be as effective as it should be.

Security awareness training used to be a relatively straightforward process aimed at teaching members of the workforce good cybersecurity practices such as choosing complex passwords, exercising caution when entering sensitive information on screen to ensure they are not being watched, and looking for spelling mistakes, grammatical errors, unusual email addresses, and other signs of phishing emails. Providing an annual security awareness training session once a year or biannually was satisfactory, but things are now very different.

Cybercriminals are constantly developing new ways of tricking employees, translators are much more accurate than they once were, and generative AI can be leveraged not only to create phishing emails free of errors but these tools can also be used to create new lures to trick employees into responding, not to mention the use of deepfakes that can be incredibly convincing.

While the main threat is still email-based attacks, cybercriminals are using a range of methods to reach employees including SMS messages, instant messaging services, social media platforms, and voice phishing, and often a combination of those methods. For example, initial contact may be made via email, and the recipient is told to call the provided phone number urgently to prevent a payment for a subscription service from being taken from their account. Tactics are also changing rapidly, with new attacks on employees constantly being developed. Any training program that is not constantly being changed to reflect these new tactics means there will be significant knowledge gaps and cybercriminals will be all too quick to exploit.

While the aim of security awareness training for many businesses is to raise the baseline level of knowledge and ensure that everyone is aware of security risks that they are likely to encounter, given the rapidly changing threat landscape and the sophistication of phishing and BEC attacks, more needs to be done.

Security awareness training should be an ongoing process, with training provided regularly throughout the year. Training should be provided at least monthly and preferably weekly, using short training modules that can be completed in just a few minutes. Providing training regularly in small bite-size chunks helps to keep cybersecurity fresh in the mind, makes it more likely that the information will be remembered, allows businesses to keep employees up to date on changing tactics, and it is much easier to fit the training into busy workflows. The training content can be completed when employees find they have 10 minutes spare.

Developing a training course is time-consuming, especially when the content needs to be regularly refreshed. The easiest approach is to use a training vendor who keeps their content up to date based on the latest threat intelligence and provides a platform that makes creating tailored training courses for businesses and the individuals who work there a quick and easy process.

The SafeTitan platform from TitanHQ has been developed to make security awareness training simple for employers, allowing them to create effective training courses tailored for each individual, job role, or department. The platform makes it easy to automate training programs so they run continuously throughout the year, including automated training in response to errors by employees. When a security error is made, training relevant to that error is immediately generated. That means the problem is nipped in the bud as training is delivered when it is most likely to have the desired effect – changing behavior to prevent similar errors in the future.

The SafeTitan platform includes hundreds of training modules of no more than 10 minutes, which can be easily customized and compiled into training courses for all job roles and knowledge levels, with new content constantly added based on the latest threat intelligence. The platform includes a phishing simulator that allows simulations to be conducted to give employees practice at identifying threats as well as to provide management with feedback on the effectiveness of the training. Weak links can be identified and corrected through further training and, like the training courses, the simulations can be automated.

The SafeTitan platform allows businesses to adopt a more proactive approach to security awareness training to stay one step ahead of cybercriminals and develop a security culture through training where employees can recognize, avoid, and report security threats. Coupled with the SpamTitan anti-spam service and the PhishTitan anti-phishing platform, businesses will be well protected in this ever-changing threat landscape.

Give the TitanHQ team a call to find out more about improving your technical defenses against phishing, malware, and other threats as well as creating a formidable human firewall. All TitanHQ solutions are available on a free trial and the team will be happy to arrange a product demonstration to help get you started.