惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
Last Week in AI
Last Week in AI
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
H
Help Net Security
F
Fortinet All Blogs
MyScale Blog
MyScale Blog
宝玉的分享
宝玉的分享
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 司徒正美
量子位
N
Netflix TechBlog - Medium
Apple Machine Learning Research
Apple Machine Learning Research
小众软件
小众软件
Recorded Future
Recorded Future
博客园 - 三生石上(FineUI控件)
Vercel News
Vercel News
aimingoo的专栏
aimingoo的专栏
I
InfoQ
Microsoft Security Blog
Microsoft Security Blog
Scott Helme
Scott Helme
The Last Watchdog
The Last Watchdog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
AI
AI
WordPress大学
WordPress大学
Security Archives - TechRepublic
Security Archives - TechRepublic
Google Online Security Blog
Google Online Security Blog
U
Unit 42
V2EX - 技术
V2EX - 技术
MongoDB | Blog
MongoDB | Blog
Schneier on Security
Schneier on Security
博客园 - Franky
H
Heimdal Security Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Jina AI
Jina AI
W
WeLiveSecurity
P
Privacy & Cybersecurity Law Blog
Cloudbric
Cloudbric
B
Blog RSS Feed
N
News | PayPal Newsroom
S
Securelist
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
I
Intezer
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园_首页
罗磊的独立博客
H
Hackread – Cybersecurity News, Data Breaches, AI and More
雷峰网
雷峰网

Threat Walkthroughs – ThreatDown by Malwarebytes

Fake Booking.com emails target hotels Phishers go “interplanetary” to get company login credentials USB worms: Still wriggling on to under-protected computers after all these years Analyzing a Mispadu Trojan’s attack chain How a clipboard hijacker delivers Lumma Stealer - ThreatDown by Malwarebytes Web shop spreads SocGolish malware and steals credit cards Clipboard hijacker tries to install a Trojan A visit to a print shop put a password stealer on a co-worker’s laptop Watch out! Mobidash Android adware spread through phishing and online links
“Enhanced Bonus” QR code phish steals Microsoft credentials
Pieter Arntz · 2025-02-25 · via Threat Walkthroughs – ThreatDown by Malwarebytes
QR code

A personalized phishing attack could lead to a catastrophic loss of credentials.

Phishing continues to be a major headache for organizations because organizations continue to use email for important and interesting things, like discounts, security alerts, and invoices. And people continue to be interested in the things that people are interested in, like discounts, security alerts, and invoices.

And of course there’s little that’s more interesting to paid employees than salaries and bonuses, and the phishers know that too.

In the case of this phish, the target received an email with an attachment that looks like it came from a company HR department—hooking them with the promise of an “enhanced bonus”.

Enhanced bonus strategy from HR
The PDF lure promises an “Enhanced Bonus”

[Organization’s name] Enhanced Bonus Distribution Strategy
Your attention to the document provided by the Human Resources/Payroll Department is requested.
Date: Friday February 2025
Scan the QR code below with your smartphone camera for easy access to the document review.

[QR code]

Please refrain from sharing this email, as it includes a secure link to our SharePoint platform. We appreciate your cooperation in maintaining security and confidentiality by not disclosing this link or its access code to others.

Your email: [employee.name@organization.country]

The phishing attempt looks very personalized because both the attachment name and the URL the QR code leads to include the target’s email address:

  • The name of the attachment was [email-address]-Employee-Handbook-6384.pdf.
  • The QR code leads to https://qn.s19pk[.]com/FEDn6OrqfXLcYxwKzcc/#X[email-address]

After scanning the QR code and passing a Cloudflare bot protection screen, the target is taken to a fake Microsoft login screen.

fake Microsoft sign in site
Fake Microsoft login site

We removed the email address from the URL we used, to avoid alerting the attackers, but we suspect that if we used the unmodified URL the email address would be pre-filled in the login screen.

Intriguingly, clicking the “next” button only works if you enter a corporate email address, otherwise the phishing site comes back with the message “We couldn’t find an acount with that username. Try another or get a new Microsoft account.”

wrong username
The phishing site only accepts corporate email addresses

If the target enters a corporate email address they are asked for their password.

enter password
The password entry form

Twice.

wrong password
The password entry form the first time the password is entered

On the second attempt, the site accepts the password, and the data is sent to http://ysl3zzdmfwncbktqtvx2aosnxo8zxyeflmphszset0akvfaxrv.ecshag[.]ru.

With Microsoft 365 credentials, attackers can gain access to sensitive corporate data, including emails, documents, and internal communications. Company login credentials can also give attackers a foot in the door of an entire company network—which can be used to steal data, escalate attacks, and even launch ransomware attacks.

Attackers use QR codes because they are more likely to make it past email filters, and may evade company security software if the target’s phone isn’t covered by an EDR solution.

IOCs

Some domains you can block with ThreatDown DNS filtering:

Main phishing site

qn.s19pk[.]com

Receiving domain for the credentials

ecshag[.]ru

Redirects

wh5nbx.revishbos[.]ru

o3mfqg.warthydri[.]ru

cemh.urj7zq[.]com

8kbxy.adlijari[.]ru

98oj4s.drogdordr[.]ru

cyt4.drogdordr[.]ru