Threat actors recently began using missed voicemail lures and malicious links hidden behind an attached image of a WAV audio file in phishing campaigns; however, once detected by security controls, the threat actors quickly switched to the use of malicious Quick Response (QR) codes. The combination of phishing and QR codes, also known as quishing, creates an opportunity for threat actors to direct users to malicious sites, access their accounts, install malware, infiltrate networks, and more, while evading detection.
Using the same missed voicemail lures, the threat actors utilized QR codes that, if scanned, directed the user to a fraudulent Microsoft landing page in an attempt to steal account credentials and other information. This particular campaign is notable due to the use of compromised infrastructure to send phishing emails, an enterprise survey service, Amazon and Google services to host the phishing pages, and a German language reCAPTCHA, while the phishing emails and landing pages are in English. It is unclear exactly how the threat actors expected users to visit the malicious site, but researchers suspect the intent was for the user to open the email on their computer and use their smartphone to scan the QR code.
The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization. We advise users to avoid scanning QR codes, clicking on links, and opening attachments from unsolicited or unexpected emails or text messages, even those appearing to be from known companies or organizations. Users are also advised to only input account credentials on legitimate company websites by manually typing the URL into the browser.