Saltar al contenido principal
Abnormal Intelligence

Credential Phishing

Corrupted Word Attachment Uses QR Code to Bypass Scanners and Phish Microsoft 365 Credentials

A phishing campaign uses intentionally corrupted Word documents with embedded QR codes to bypass scanners and steal Microsoft 365 credentials.

January 3, 2025

Attack Target Summary

Attack Overview

Step 1: Email

The attacker sends a benefits-themed email with a Microsoft Word attachment. The document appears corrupted, which allows it to bypass many traditional scanners.

Attack Library Repo 8 17 Dec Image 1
  • Attachment is a Word doc intentionally structured to seem broken.
  • Email content refers to HR benefits to entice user interaction.
  • The attachment bypasses analysis due to apparent corruption.

Step 2: Recovered File and QR Code

Despite appearing broken, the document can be opened using Microsoft Office’s built-in file recovery. It contains company branding, personalized content, and a QR code.

Attack Library Repo 8 17 Dec Image 2
  • Microsoft Office’s recovery renders the file readable.
  • Includes target company logo and employee name.
  • Contains a QR code intended for mobile scanning.

Step 3: QR Code Redirects to Phishing Site

When scanned, the QR code directs the target to a spoofed Microsoft 365 login page designed to capture credentials.

Attack Library Repo 8 17 Dec Image 3
  • No URLs in the email body—phishing link is in the QR code.
  • Page mimics Microsoft branding.
  • Target credentials are stolen upon submission.

Step 4: Final Destination (Spoofed Microsoft Login)

Attack Library Threat Actors Exploit Docusign 6 Nov Portal

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • Corrupted attachments are often skipped by scanners.
  • Email passed SPF/DMARC authentication checks.
  • The phishing link is hidden within a QR code inside the document.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Unusual sender behavior and benefits-themed bait content.
  • Detection of recoverable attachments flagged as broken.
  • QR code analysis and NLP detecting credential phishing intent.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingPayload-basedEmployee - OtherCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.

Request a Demo