Threat Actor Sends Fake DocuSign Notification of Payroll and Benefits Update in QR Code Phishing Attack
After spoofing a legitimate domain, “prayingthroughthewindow[.]com,” the threat actor in this QR code phishing attack renames the display name to “Open Enrollment 2024” and sends an email with the subject line “Revised Payroll Preview Report For All [Company Name] Employees December 08, 2023 PleaseComplete_Copy” to deceive the target into believing the email is an official communication from their company’s HR department. A JPG with the impersonated company’s logo is embedded in the email body, and a message that an updated compensation and benefits policy is attached. Attached to the email is a PDF designed to look like a DocuSign notification that contains a QR code purportedly linked to the referenced policy update. However, should the target scan the QR code, they will be taken to a fake Microsoft login page where sensitive information, including login credentials, is at risk of being stolen.
Older, legacy email security tools struggle to accurately flag this email as an attack because it uses social engineering techniques, comes from an unknown domain, and lacks malicious links in the body content. Modern, AI-powered email security solutions detect the use of social engineering techniques, flag the unknown domain, and analyze the attachments to mark this email as an attack correctly.
The attacker attaches a PDF with a malicious QR code that leads to a fake login page.
This spoofed Microsoft login page is designed to look authentic.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Social Engineering Techniques: The email is disguised as a policy update notification for employees from HR, a common tactic used to trick recipients into opening attachments or clicking links. Legacy security tools often struggle to detect such sophisticated social engineering tactics.
- Unknown Domain: The sender's domain is unknown to the recipient's company. Legacy security tools often rely on known blocklists of malicious domains and emails and may not flag new or unknown ones.
- Lack of Malicious Links in the Email Body: The email does not contain any links in the body, which are often a key indicator for legacy security tools to flag an email as potentially malicious. Instead, the attacker uses a QR code in an attachment, which leads to a credential phishing site.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Social Engineering Detection: Abnormal detects sophisticated social engineering tactics. The impersonation of a policy update notification for employees from HR is a common phishing tactic and would have raised a red flag.
- Unknown Domain: The email comes from an unknown domain to the recipient. Abnormal flags such anomalies, unlike legacy systems that rely on known blocklists.
- Attachment Analysis: Abnormal analyzes attachments for potential threats. The email contained a JPG image and a PDF document in this case. The JPG image claimed to include a payroll and benefits policy update, a document commonly referenced in malicious emails, and the other image contained a QR code leading to a credential phishing site.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.