Quishing Triage 101: How to Investigate Suspicious QR Codes in Emails

Read on for more about “quishing” and a free way to set up QR code triage for phishing emails (using Pipedream and some Python), or check out our blog here to learn about how Intezer automatically triages suspicious emails and investigates QR code-based phishing emails.

Quishing, derived from combining “QR code” and “phishing,” has manifested as a significant cybersecurity threat, particularly noting a discernible surge in incidents since July 2023. This technique leverages QR codes to mislead users into interacting with malicious digital content. When a user scans a QR code in a quishing attack, it typically redirects them to a malevolent website, which may deploy malware or solicit confidential information.

The purpose of this blog post is to provide a quick guide for investigating potential quishing attacks or any other suspicious emails that have an embedded QR code. In addition, to showcase a technique of leveraging a No Code/Low Code platform for accelerating the analysis of such attacks, which might even benefit other security-related use cases.

What is Quishing?

Quishing is a cyber-attack strategy where attackers utilize QR codes to mislead users, typically redirecting them to a malicious website that either downloads malware or solicits their sensitive information. You probably know that already but a QR code, or Quick Response code, is a square barcode readable by mobile device cameras. When scanned, it can trigger various actions, such as opening a webpage, initiating a phone call, and more.

In a typical quishing scenario, a user might receive an email that appears legitimate, containing a QR code and instructions to scan it for a particular purpose, such as making a payment, accessing a website, or obtaining specific information. Once scanned, the QR code redirects the user to a fraudulent website designed to harvest sensitive data or infiltrate the user’s device with malware. Quishing campaigns can be particularly deceptive as they exploit the trust users have developed in scanning QR codes for legitimate purposes, such as menu access in restaurants or facilitating contactless transactions.

Why Are QR Code Phishing Attacks Increasing?

Quishing attacks have the capability to evade conventional security measures, such as secure email gateways, which typically scan for harmful links and attachments. When an email incorporates a QR code, these secure email gateways often deem quishing emails to be safe. Consequently, the emails are delivered directly to the inbox without being flagged as dangerous. Understandably, this has presented an opportunity for cyber attackers which they now increasingly exploit.

How To Analyze Reported Quishing

If you’re part of a security team or working as a security analyst and receive a report from an employee in your company about a suspicious email containing a QR code, it’s imperative to approach the situation with caution. Directly scanning the QR code with your phone is not advisable due to the unknown and potentially harmful URL it may contain. Nevertheless, as a security analyst, it’s crucial to delve deeper to comprehend the attack’s nature, aiming to prevent future similar attacks and possibly hunt for successful attacks within the organization. To achieve this, it’s essential to analyze where the QR code redirects to, ensuring to do so securely.

Here are three steps to meticulously investigate a potential Quishing attack:

1. Extracting Images from the Reported Email: Ensure to download all images separately from the reported email. This includes those embedded within attached PDF files or forwarded .eml or .msg files, especially if the email has been forwarded to you.
   
2. Safely Scan Images for QR Codes and Extract URLs: Scan all images for QR codes by using a 3rd party QR Code scanning service such as qrcoderaptor.com, extracting the corresponding URLs without directly following the link to prevent unintended exposure to malicious content.
   
3. Analyze URLs Using Online URL Scanners or Sandboxes: Utilize an online URL scanner or a sandbox to scrutinize all extracted URLs, enabling you to analyze the full origin and intent of the attack without jeopardizing security.

The one major problem with the above steps is that it can take too much time and effort, especially lately since those attacks are very frequent. Now let’s try to automate it!

Using Low Code Platform To Automate Quishing Triage

For this purpose I will use Pipedream and some Python coding to create a proof-of-concept quishing triage automation, however feel free to use any preferred workflow builder. Pipedream is a really great tool that helps to easily create automated workflows, and it has a generous free tier. I recommend to check them out!

What I want to create is a simple workflow for triaging emails with QR-codes that works as following:

1. Have a dedicated mailbox that will receive any reported quishing
2. Extracts all images from the received emails
3. Checks for QR code in the images and extracts all URLs
4. Replies back to the original sender with the extracted URLs

That will allow a security analyst to simply forward any suspicious email to a dedicated email address, and immediately get a response with the URL to scan in any online URL scanning solution. A definite next-step would be to automatically analyze the URL already in the automated workflow and send back results, but this is just a proof of concept 🙂

You can use Intezer’s API for adding an automated URL scanning or any other tool you choose.

1. Receive emails

I created a new workflow with an “Email” type Trigger, which creates a dedicated email box:

Now, I would recommend to send an example email with a QR code, just for the sake of testing and ease of development.

2. Extracting images from the email

The following code iterates over all attachments of the received email, and extracts images that are embedded within attached PDF, EML and MSG files, as well as just from the original email. I’ve created a Python step in Pipedream, right after the trigger step, where I used this code in:

I’ve used two simple utility functions to download attachments to disk and to memory:

def download_file_to_bytes(url):
    response = requests.get(url)
    response.raise_for_status()

    return io.BytesIO(response.content)

def download_file_to_tmp(url, filename):
    file_path = f"/tmp/" + filename
    response = requests.get(att["contentUrl"])
    with open(file_path, "wb") as f:
        f.write(response.content)

    return file_path

It’s surely not the best code I’ve ever written, but have I already mentioned it’s just a proof-of-concept? 😉

3. Extracting URLs from QR code images

After we have all the images stored in the IMAGES variable, let’s use an external service API (goqr.me) to scan those images for QR codes and extract the URL from them:

(continued handler function)
    for img in IMAGES:
        url_from_qrcode = get_qr_code_data(img)
        if url_from_qrcode:
            EXTRACTED_URLS.append(url_from_qrcode)

    return EXTRACTED_URLS

def get_qr_code_data(image_bytes):
    api_endpoint = "http://api.qrserver.com/v1/read-qr-code/"
    files = {'file': ('qrcode.png', image_bytes)}
    response = requests.post(api_endpoint, files=files)
    
    if response.status_code == 200:
        data = response.json()
        qr_data = data[0]['symbol'][0]['data']
        return qr_data
    else:
        return None

4. Send extracted URLs back to the sender

First, let’s make sure we don’t send any raw malicious links which can be unsafe (or just get caught in a spam filter). Let’s de-link the URLs by adding brackets, by using the following Python code in a new Pipedream step:

def handler(pd: "pipedream"):
    res = ""
    if len(pd.steps["python"]["$return_value"]) > 0:
        for url in pd.steps["python"]["$return_value"]:
            delinked_url = url.replace("http://", "http[:]//").replace("https://", "https[:]//").replace(".", "[.]")
            res += delinked_url + '\n'
        return res
    else:
        return None

Now, let’s use a simple Gmail step to send the de-linked URLs back to the sender:

5. Testing it

Right after forwarding an email with attached QR code to the generated Pipedream email address, I got a reply to my inbox with the revealed URL!

Try It Yourself for Free!

Feel free to give it a go and send emails that contain QR codes to this address:

emy8bmikgfq7ecx@upload.pipedream.net

I’m taking a leap of faith here, hoping that this email address won’t be abused by script kiddies 🙂 and that it can serve as a nice tool for security analysts who are looking for an intermediate solution.

An Even Easier Way to Automate Triage for QR Codes & Phishing Emails

While the demonstration of utilizing a low-code platform to automate certain labor-intensive tasks is valuable, it doesn’t fully address the quishing issue at a scalable level. At Intezer, we’ve taken this a step further and integrated Anti-Quishing logic into our automated reported phishing pipeline, which is another step in our vision to to empower security teams with the world’s best Autonomous SOC solution.

This enhancement empowers new Intezer users to effortlessly link their user-reported phishing inboxes to Intezer, enabling automated triage. This includes unraveling any embedded QR codes, conducting an in-depth scan of the corresponding URL, and examining any other hidden email elements. This allows your focus to stay on only the emails that necessitate your attention, eliminating the need to sift through unnecessary reported emails.

For our existing customers who are already utilizing our automated phishing pipeline, the new QR code scanning logic is fully integrated. You’ll already see emails where Intezer has extracted QR codes, then meticulously analyzed the URLs and other email artifacts. You’ll get a thorough investigation of the potential threat in a clear analysis report, with all the information you need.

If you’re having scaling or resource shortage issues with combating quishing, phishing, endpoint or SIEM alerts — just book some time with us and we would be happy to help!

Intezer’s automated triage process for emails identifies embedded QR codes, extracts and analyzes URLs, then gives you a verdict and a full analysis report. Learn more in our blog here about how Intezer automatically triages suspicious emails and investigates QR code-based phishing emails.

---

Try Intezer for free or book a demo to learn more.