QR Code Phishing Attack Uses Embedded MHT Files in Payroll-Themed Documents
Attack Overview
Step 1: Email
The attacker sends a spoofed phishing email claiming to contain information about salary updates. The message includes a DOCX attachment and minimal contextual information to reduce suspicion.
- The subject references salary increments.
- The email includes a document attachment (.docx).
- The message relies on implied urgency rather than detailed body text.
Step 2: Malicious Document with Embedded MHT
The attached document contains a hidden MHT (web archive) file. This MHT file includes a base64-encoded image that appears harmless but contains a QR code.
- MHT file is embedded within the DOCX attachment.
- Encoded image hides the QR code from static scans.
- The QR code is not visible until the document is opened.
Step 3: QR Code Leads to Phishing Page
When the recipient scans the QR code (often using a mobile device), they are directed to a phishing page disguised as a login portal, where credentials can be harvested.
- QR code bypasses email body URL scanning.
- Targets are taken to a fake login page.
- Designed to capture user credentials on mobile.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- The phishing link is embedded in a QR code rather than the email body.
- The MHT file is embedded in a DOCX, avoiding detection.
- Encoded images hide malicious content from static analysis.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Unusual sender behavior and document-sharing patterns.
- Minimal email context paired with suspicious attachments.
- NLP identifies financial themes and urgency despite lack of body content.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.