Scammers are emailing waves of unsolicited QR codes, aiming to steal Microsoft users’ passwords

Researchers uncovered a twist on QR code-enabled phishing, a troubling development as codes proliferate in the COVID-19 era.

Email fraudsters are seizing on the attention around the quick response codes that have become more common in restaurants and stories, leveraging QR codes try to steal users’ Microsoft credentials and other data.

The latest campaign, uncovered Tuesday by the email security company Abnormal, leveraged compromised email accounts in order to bypass standard security screening, then target nearly 200 email accounts between Sept. 15 and Oct. 13, 2021. The operation is the latest example of QR code-enabled phishing, with warnings about “QRishing” or “quishing” dating back to at least 2012. The Better Business Bureau warned of such scams this summer, and the Army Criminal Investigation Command’s Major Cybercrime Unit warned of potential problems in March.

An earlier version of the effort unveiled Tuesday embedded a malicious link behind what looked like a voicemail .WAV file. When that link was flagged by security screening services, attackers then switched to a QR code to redirect a victim to a credential harvesting page. The research did not identify the attackers behind the campaign.

A message below the QR code instructed the victim to scan it to “enable you to listen to encrypted Voicemail.” That then led to a fake Microsoft landing page that prompted the victim to enter their email and password in order to play the message.


Given the proliferation of QR codes as a means to enable hands-free ordering at restaurants, or required to validate vaccine status to enter certain venues in the COVID-19 era, the research serves as a reminder to think twice upon receiving an unsolicited QR code via email.

Rachelle Chouinard, a threat intelligence analyst at Abnormal, noted that the campaign was a bit clunky. It would require the victim to open the email on their computer and then use their phone’s camera to scan the QR code, which would then take them to the fake Microsoft login page to harvest a user’s credentials. “Does this actor expect them to go back and open it on their computer? Or send the email to the printer? Use another phone? At what point does the victim begin to suspect a scam?” Chouinard wrote.

The operation also faltered in that the email and credential harvesting page use the English language, but the reCAPTCHA is in German, potentially tipping victims off to the ruse.

In 2019, Virginia-based Cofense, an email security company, uncovered a phishing campaign using QR codes targeting some of its customers in France. In that case the attackers used QR codes to direct victims to a fake SharePoint landing page in order to read a shared document. Once there, users could log in with AOL, Microsoft, or other credentials to read the document. That campaign employed custom mobile pages in hopes to convince victims accessing the page on their phones that the request was legitimate.

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts