Game Of Codes: QR Thrones, Image Battles, And The Quest For Initial Access

you okay welcome to game of codes QR Thrones image battles and the Quest for initial access I'm Josh Camu quick background on myself so you can find me on the internet as J Camu I'm the founder and CEO of sublime security we're a free and open detection is code platform for email attack defense and thread hunting the reason that's relevant for today is that we see and detect lots of QR code fishing which has become very big recently and obviously a lot of other types of fishing as well prior to Sublime I spent most of my career doing offensive cyber related things for uh government related places sometime in the private sector doing um pen testing

and red teaming a lot of gaining initial access via fishing so I was on the offensive side and now I'm on the defensive side and prior to that if you're famili amiliar with the states uh went to University of Maryland studied computer science I did a lot of martial arts and I played a lot of Halo 3 so if you're a Halo 3 Fan uh hit me up slide into my DMs we can uh we can do a little something all right quick agenda for today we're going to start off with what is QR code fishing um we'll talk about um what we've been seeing in the wild we'll talk about what makes QR code

fishing so effective and why it's a great tool for attackers today and why they they've chosen to use this as a lure we'll talk about different signals that you can use for detection and prevention and then we'll briefly talk about some defense and depth strategies and we've got um some bonus content as well for some even more recent trends that we've started to see by show of hands who has seen a QR code fish ing attack or received one or someone in your organization has received one okay so like the majority of folks okay so it's relatively self-explanatory I think there's a QR code that's embedded in the email message and that QR code when scanned

leads to some kind of harmful link and that harmful link can be a credential fishing page which it typically is uh or could lead to a malware download and the unhinged sometimes refer to this as Cushing but this will be the one and only time that you hear that word come out of my mouth during this talk any any bold folks uh scan this QR [Laughter] code QR code fishing has become very prolific we'll get into a bunch of specific variants that we've been seeing in the wild we're seeing lots of different impersonations of different brands lots of different um kind of attacker uh social engineering techniques Microsoft impersonations DocuSign impersonations have been very big teams Adobe and we'll get into

specifics of these and show you what what attackers have actually been sending so why QR code fishing what makes it such an attractive fishing lure well first and foremost it's everywhere in our daily lives we see it in restaurants we see it in our conference booklets we see it what's that even on train and that's right in the trains yep uh parking parking lots we see it everywhere in real life we see it in marketing emails and invitations we see it in the big fausi it's my kind of favorite one here number two it's used legitimately on the internet both in SAS applications and in email Communications from SAS vendors these are all legit uses of QR

codes here we've got you know greetings from vendors of you know known partners coming in through email we've got registrations we've got MFA configurations uh MFA setups all kinds of things and so we're being trained conditioned as as users as to think that this is normal right and and we also have some kind of association between certain Tendencies like configuring MFA and QR codes those kind of go hand inand together and so we'll see that manifest in the actual attacks that we're seeing attackers are taking advantage of that kind of Association that we have number three you can't see what's behind a QR code without scanning it we've trained our users and we've been trained to hover over links and emails

right to see where does this lead is this bad does it match the you know what I'm seeing as the as the display URL you can't do that with a QR code so looking at this QR code who think like anyone think that this is legit or malicious yeah like nobody knows no hands right it's a

mystery that's right that's right it's completely um OB fiscated so that's very attractive it's very attractive for attackers number four there's no traditional URL or attachment or payload in these um in the message and so not only does that make it more difficult for the users but that also makes it more difficult for security tools so down below here we've got an example of an HTM like the HTML section of an email message this is all that's in the in the message right there's no URL there's no you know actual payload here and so what it actually is it's an attachment it's an embedded CID attachment which is an image and in the image is what the QR is

where the QR code is embedded so the email security tools actually have to have a specialized coder to understand these and decode them and be able to recognize that they exist so this has made the job of email gateways very difficult recently so that's why it's been so effective Landing in user inboxes and we're having a um f some folks are having a hard time with that and here's an example of that image this same image is actually an image we call this an image as content attack so the entire content of this attack is actually embedded in an image so there's no text in the e in the HTML section of the message or the text the plain text

section of the message so all of these signals that traditionally would be embedded in the in the body of a message and what emoe security tools are traditionally used to using to scan and analyze for malicious intent are actually just in a single image so that makes it it more difficult to actually detect so these images content attacks have been really big recently um just an image attachment embedded in the message sometimes it's a PDF attachment um there's lots of different methods that we're seeing actually embedded here and these are all evasion techniques that we're seeing all right so let's talk about some of the variants that we're seeing in the wild and there's a couple motivations for

this just in in in terms of why we're we're interested in in seeing these one is is around education user education so if we if we understand what attackers are using we can better recognize those attacks ourselves and we can better educate our users to do so as well and then it it may help us also anticipate the next evolution of these types of attacks so let's dig in and and and and the the other reason is by looking at the different variants we can identify signals for detection what are the signals that are common what are the signals that are common across all of these types of attacks and then we can build really effective

detections from those so that's kind of the mindset that we're going into this with so we've redacted pii from these attacks and we've replaced any personally identifiable information with the fictitious company information and and the reason we've done this is because the information here is actually used in the attacks to make them look more legitimate so it's important to actually preserve this so that we can build proper detections and identify useful signals so if you see Rachel Tyrell she's the recipient of these attacks if you see Rachel tyell corp.com that's her email address tyell corp.com is the organization domain and we'll dig into even more specific signals here but this is kind of the Baseline context to know going

into it okay first attack this is one of I think four variants of Microsoft impersonation attacks so I'll give you all a second to digest that really

quickly yeah this is obviously not from Microsoft this is um impersonating Microsoft here and we can take a look at some of the signals here and break this down so we've got um a subject we've got a subject with um reauthentication so this goes back to leveraging that connection that people have around QR code MFA QR code authentication so this is part of that social engineering tactic in the center we've got Tyrell Corp it department so impersonating both the organization that they're targeting and you know some kind of uh entity that they might need to respond to like the IT department we can see the QR code that we've decoded ma security dl.com and now let's talk about some of the

signals here for identification of this attack and we're going to do this a few times with different variants and then at the end of it we're going to look at all the signals together and actually build some effective detection capabilities so first and foremost we see a Microsoft logo in the body of the message we see a sense of urgency in the subject update required exclamation marks all caps we've got a QR code that points to a suspicious URL we've got the recipient's second level domain in the sender's display name so let's talk about this real quick Tyrell Corp right here th this is actually a very common technique used in MA automated Mass campaigns what you'll see is the

attacker takes the second level domain which is Tyrell corp.com Tyrell Corp is the sld um it also happens to be the root domain um and the TL for example is and so there's all these actual aspects of a domain that attackers use to make the the their attacks look more legitimate so what they'll do is they'll capitalize the first letter in an automated Mass campaign right so they've got their target list thousands and thousands of recipient emails they'll take the sld they'll capitalize the first letter and they'll throw it in the display name so that's what we're seeing happen here we've got obviously a QR code the existence of a QR code in the body and we have a sense of urgency in

the body as well so if you actually look at this text you know you have to act otherwise you lose access to your account so these are signals that as a Defender we can look at to stop these attacks and what's at the other end of this QR code it's a Microsoft credential fishing page and this is like this is the actual one from from that QR code and this generally tends to be the intent behind most of these attacks it's credential fishing okay on to the second variant we'll see a lot of overlap here but we'll also see a few new signals so I'll give you all a few seconds to just kind of digest this

attack all right so we've got again again a Microsoft logo in the body we've got urgency in the subject we've got a QR code to a suspicious URL this URL is actually a it's actually a high reputation URL this is a this is actually this is not the full URL but this is the domain this is actually Constant Contact so we're seeing and and this has been true for a very long time with URLs embedded directly in messages and in attachments are mass mailers being abused for high reputation so if you look at this RS 6.net on its own you'll see that it's got lengthy domain age you'll see that it's owned by a reputable provider it's

been around for a long time but if you know that this is actually Constant Contact then you know that any anyone can employ one of these and it's effectively an open redirect so this will actually redirect to the malicious URL so it's it's actually quite important to follow these redirects for analysis couple new signals that we see here we've got the recipient local part in the subject so there we see Rachel's name in the subject and again this is a technique used by actors especially in Mass campaign when they're automating to take the recipient's local part of their email address so Rachel's email is Rachel tyell corp.com they'll take that Rachel part whatever it is leading up to the at sign

and they'll throw that in the subject or the display name so in this case we're seeing it in the subject and again this is part of social engineering tactics to make this look more believable and targeted and meant for Rachel and and for her to take action and again we're seeing the senders uh recipient SB in this display name and the other signals are pretty much the same typically we're seeing these come from compromised accounts so they'll they'll be compromised for some period of time a lot of times these are long lists of compromised credentials sold on the dark web and then they'll just be recycled the next time so typically sometimes we see reuse of these but um you know a lot

of times the majority of the time we see them get recycled with with new email addresses so that really goes back to why behavioral detection is important for these so we blocking like an ioc based block list is is not really going to help much because we are seeing them rotate these ioc's so frequently and by ioc's I mean the sender email address the URLs and the QR codes those types of things they're always getting recycled for new ones okay another variant of Microsoft this time with an evasion technique we're seeing the attacker try and evade uh QR code detection and decoding by using different colors here this doesn't actually matter and uh you can decode this using

any pretty much QR code decoder but uh we've seen

it it has it has no effect on the colors in the QR code have no effect on the QR code um and it's and its uh performance or anything like that yeah it has it has no effect on it the the other new signal that we're seeing here which is kind of odd actually for these types of automated attacks we see this more often with becc attacks and other types of credential fishing is a hijacked thread so in this case if you actually scroll down in this email a little bit you'll see that they actually hijacked a prior thread in this user's compromised account and so we see that a lot of times for becc attacks

to basically have like an ongoing make it seem like there's an ongoing conversation that they're picking up and that helps them actually be more believable so it was kind of odd that we saw it in this cuz QR codes you know this type of automated email when would you see that in a hijack thread but we yeah we saw it on this one okay last Microsoft impersonation example here so in this case we saw a bit of human resources and pay payroll impersonation going on here again enticing the user around something important happening going on we see that carry over into the sender's display name here HR payroll support this time we've got the full recipient root domain

in the sender's display name so slightly slightly changed variant of this signal it's no longer the sld capitalize but it's the full domain name and then another interesting thing that we've been seeing recently has been abuse of open reader a bing bing.com open redirects so for the red teamers out there you can go and create create a redirect for Bing and you can send that in an email and you can have it point to wherever you like and so the reason that this is important or useful is that for any sort of email security solution and also from the users perspective when they hover over the link they're seeing bing.com and so if that's coming in a

Microsoft email well that actually looks more believable right it's Microsoft Bing those are the same company so that seems legit so we're seeing we're seeing Bing actually being abused quite a bit for for open redirects here and not just in QR codes we're seeing this in the email bodies we're seeing it in attachments as

well okay well actually we got one last Microsoft example this one is much more subtle so there is no big Microsoft logo but there is a task there's like if you see down here there's like smaller Microsoft there's a Microsoft to-do there's a teams logo Microsoft planner so otherwise we're seeing a lot of the same stuff we've got the full recipients email address in the subject here this time and this is actually an image as content attack as well so everything that you're seeing here is all in an attached image there's there's basically nothing in the body okay Office 365 so we're seeing targeted Office 365 logos um otherwise this is pretty much pretty pretty similar to what we've seen

we've got the users email address being uh inserted into the body here um and this is pretty typical of like legit off you know types of notifications where it says like this email blank right it's it's part of that tactic around making it look more believable okay we're not going to go in depth into all of these other attack variants but we've I've um aggregated some categories here just to give you a sense of the DI in these campaigns so SharePoint impersonation on the top left this is kind of your standard what it looks like when you receive a SharePoint file shared with you and what they've done is right down below it is a QR

code similar in the middle example here except a just slightly different template and then we've got the actual SharePoint logo and employee benefits being impersonated here

DocuSign besides Microsoft DocuSign is the second most popular brand that we're seeing impersonated and it's it's quite clever actually it looks this looks like a legit you know DocuSign template but they've got a QR code just right in the middle there and they've got a QR code down at the bottom and we've got a variant of template here and again the reason these work these are landing the these are bypassing Microsoft and Google today is because there's no links in here right so a lot of the requirements for detection are like malicious link malicious

attachment

oh how how often are users falling for these and actually scanning I don't have that available right now yeah but we've heard we've heard lots of folks falling for them just anecdotally but I don't have empirical evidence right now

yeah yeah yeah yeah we're seeing you know we're seeing a lot of users fall for these yeah and and a lot of it is a lot of it is that most folks just don't know like most end users just don't know that this is really an attack Vector um like I was I sent you know some of this to like to my sister right and she's she had like no idea but she's like you know she gets fishing simulations all the time and she's like a corporate you know she works in a corporate um environments and just like just anecdotally and and for our from our customers you know um prior to to um just like having Standalone

protection for example we've seen yeah a lot of folks just don't know about it so even with the non-microsoft impersonations the docus sign leads to Microsoft credential fishing too so that we're seeing the majority of these are Microsoft credential fishing intents Adobe is another big one that we're seeing so here's some variants of adobe impersonations um we've got the classic Adobe logo we've got the simplified Adobe logo this middle one here is was interesting because there there wasn't even a QR code directly embedded in the message it was an attachment that wasn't embedded so the user would have to like actually view the attachment and then scan it which was interesting and um Adobe Acrobat sign is Al is like

adobe's competitor to to docy

sign yeah the question was are any of these um image images content attacks yeah um this these two were not I believe I believe these two were on the left I think these two were um just normal embedded in the message

yeah okay and we're also seeing just generic QR code fishing attacks so you know we're seeing them in foreign languages we're seeing them there's no brand logo being impersonated here but there's just like a generic you know TFA uh you need to renew like who knows what service this is even for it's just generic and then the boldest one is literally we saw a blank email with just a QR code and um and this was just like this was pretty fantastic there there was a the um interestingly there was also a disclosure statement input by the attacker at the bottom so we see this quite often where attackers are just inserting like confidentiality notices at the bottom of attacks to make them

seem more believable okay let's talk detection and prevention so we talked a lot about the different signals that we can use so how do we actually put those together and and make those useful from an email defense perspective so there's a there's a lot of signals available to us for brand impersonation detection on the left side there we've got the different brand logos we can use we've got different signals in the subject and display name and the body and then we've got various ones for images content attacks so here's an example of how we've put these Primitives together so you'll need to look at um inbound messages and then you'll need to run you want to identify logo detection you want

to identify logos in the body of the message and then you want to identify QR codes either in the QR or either in the embedded directly in the body of a message or embedded in an attachment and we can put these supporting signals together as well to help mitigate false positives so we can start to incorporate sender context so how reputable is this sender have we ever seen them before in our organization have we ever sent messages outbound have we received messages from them tell me you know run uh who is enrichment and tell me what how old is the domain um how old is the URL in the QR code who owns the domain

we can do analysis specifically on the QR code URL itself does it have a suspicious TLD if you noticed from the QR code URLs that were embedded in the prior examples there were a lot of suspicious tlds that typically wouldn't be delivered they would typically be be blocked especially for like American companies or at least it would be very high signal so we you know like a a really sus Ru domain that would typically lead to like you know a quarantine or something in for like an American or european company that doesn't do business in Russia but because it's OB fiscated it's getting they they're sliding right through and there's less scrutiny being put on them

and then we can analyze the actual content of the QR code destination so if you go out to the QR code and follow the redirects where does it end up on does it end up on a free subdomain host does it end up on a cloud flare worker does it end up on some. Ru um we can look at the different hops that we take in that in that redirect chain how many redirects are there are there three four five that's usually that can be indicative of um an attack especially if you're cycling different plds um and going through a series of different domains if you're going from like a free subdomain host to a free

file host to something else that can be suspicious we can analyze the final Dom of the destination and this comes down to actually detecting the credential fishing content itself on the page we can run OCR optical character recognition on that page we can run some machine learning and natural language understanding and computer vision on the credential fishing page itself to say hey is there a Microsoft logo on this page is there a login box is there a username field a password field and then lastly we can check to see last but not least if there's any files getting Auto downloaded is this an HTML smuggling attack is this a you know payload delivery mechanism so we've open- sourced our

detection rules for this that's our repo and we we've categorized this here in a few different um in a few different ways so if you're interested in how to actually put these together um you can go and you can look at these it's all open source there's our repo up there so we've got generic QR code fishing detection and prevention so this will cover all the brand stuff and all of the generic ones and um we've got specific images content detections there's brand specific ones and then there's a bunch of evasions that we've been seeing recently as well so we've been seeing QR codes in HTML attachments basically getting HTML smuggled into environments so that's been interesting and then the

the most recent one has been EML attachments so there's basically you get a message and that message has an EML attachment and Outlook will actually we've got some content on this if we if we get to it but Outlook will actually render an attached EML in the in the top level message so it's basically a brilliant evasion technique but it embeds the QR code in the malicious URL down deep in the in the message okay let's talk link analysis evasion so we we we've talked a lot about the top level analysis and the evasion techniques but what's happening when we actually go out and and and try and inspect these QR codes so the most common thing we're

seeing is mobile user agent validation so because the attacker has an expectation here that users are scanning this with their mobile phones they've got some Protections in place to to validate that anyone visiting their site is actually coming from a mobile UA so we can see here for example this is the Bing redirect and this goes to redirects through to a toop domain which is super sus in of itself but then after the user agent check we actually get out we we are we're visiting this not as a mobile UA and we actually get redirected to the legit office 365.com domain and we we get dropped on an error page actually so that's quite interesting so this is a defensive

mechanism so that you know security researchers or automated email security tools are not able to inspect the contents they just see a legit domain we're seeing delayed redirects so we have these multi-level chains here where the in initial URL is let's say for example Bing or whatever when you connect to the server we'll get a header back this refresh header and the refresh header tells the browser for example refresh after X seconds and then go to this URL and so in this example we're seeing Zero which is going to do it immediately but we've seen other timeouts here as well so this can be an effective evasion mechanism for any automated tools that aren't waiting

around long enough so you can do a delayed redirect in the headers you can also do it just as HTML so you can do this on the page on the contents of the credential fishing page itself or this can be in an in an HTML smuggled attachment um or in an HTML attachment too so we've seen we've seen both and there's we could probably do a whole talk on just JavaScript alisation and and the different evasion techniques we're seeing but just to highlight one of these is delayed redirects um in off fiscated JavaScript so this was this was actually an HTML attachment that was sent and there's a set timeout here if you see that

JavaScript function and there's a bunch of aisc Happening Here But ultimately if you see this location here and this hre this is going to after a certain timeout which can be configured by the attacker redirect set the location that HF of the page which is like set the you know where the page is to this

destination okay this is really just scratches the surface on Def fence in depth but beyond Beyond detection and prevention there's a couple things that we can do that are that that we should are kind of table Stakes right so user education is key that's kind of the point of a lot of this content here is we need to tell our users tell folks about the threat this threat exists this is a this is very much happening in the wild and first and foremost folks just need to know that it it exists and this could be malicious and due to the nature and the intent of these attacks since they're mostly credential fishing if you've implemented multiactor

authentication and in particular Hardware Keys um web auen or you know like a UB key or name name your Hardware um token then you will be resilient to these credential fishing attacks so we are seeing for non-hardware based MFA like top you know the one-time passwords and your you know you've got a code in your phone we're seeing those get relayed through proxies um attackers have there's open source tools that are very common like evil evil Jinx for example that will take those codes and relay them to the uh legitimate site and and then hijack the session so Hardware Hardware tokens if you can okay I think we're out of time so we'll have to save these for next

time but thank you very much for your time and I I think we do we have five minutes for questions

or we have uh I think time for uh one answer any questions uh so if anyone does have any questions raise your hand and you'll get the mic close any suggestions about um altering outlook for um blocking images or anything like that or exchange stuff so that uh the images get flagged and you get warnings so the short answer is is not really um we haven't found Exchange to really be expressive enough to do this effectively without false positives um so we haven't we haven't seen any like effective transport rules that that you can really do at the exchange level without a lot of false positives that generally tends to be the the big the

big risk with that

yeah I'm wondering what I mean most people I I would imagine if you were presented with this on your computer you're going to scan it with your phone your personal phone right that's how most people are going to yeah do that and I'm wondering I I mean I really hadn't thought of that before but it's is there is there natively something in Android or Apple that that allows security configurations around scanning QR codes I mean I I'm I don't scan QR codes a lot but when I have it seems like you hovered over it and it pops up and says you want me to take you to this place you're scanning but it doesn't S

tell you what it is or like you said yeah is there any I mean I just wonder if this is something maybe we ought to be as a community saying something to Apple or Google about like I I would love to put this on Apple and Google to do a better job of of um I mean like same thing with SMS right is like we we're seeing so many attacks delivered through here um through SMS through QR codes and there's it doesn't seem like there's much filtering going on so I would love to see that come from Apple or Google as far as the as an organization it's really tough because these are personal devices and so that

this part of why this is such an attractive lure is that this is pivoting off the network off the corporate device so you have no network introspection you don't know if they clicked on it cuz it's not going through your web Gateway there's no logs so it's definitely one of the challenges around this is that pivot to the personal device yeah

yeah thank you