You're listening to the Cyber Wire Network, powered by N2K. Quick question. Have you watched Project Hail Mary yet? Humanity is facing an existential threat and racing to solve it with the clock ticking. For security teams, that probably hits close to home with AI use rapidly spreading. everyone's using AI, marketing, sales, engineering Chris the intern without security even knowing about it that's where Nudge Security comes in Nudge finds shadow AI apps, integrations and agents on day one and helps you enforce policy without blocking productivity try it free at nudgesecurity.com slash cyberwire Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. But there is something kind of weird about it. It was a really large email file. The attachment was exclusively a PDF, but it appeared to also have image content that the AI within our product was pointing out. That's Juliana Testa, senior security engineer from 7AI. The research we're discussing today is titled Quish Splash, when the QR code is the weapon, a multi-wave phishing campaign that slipped past every filter. And so one of our MDR analysts actually brought this up to me and was like, hey, I think, you know, something interesting is going on with this. I think this is a true positive. And I was like, okay. So we start to dive deeper. And what we actually find is as we start to query with the AI, you know, our product is an AI agentic system that, you know, can one, do investigations independently, but also allow analysts to do further investigations. So that's what we were doing. And one of the interesting things that happened is the deeper we dug, the bigger the scale this was, the more emails that this particular email address that we had recognized as a true positive was sending. And then we started actually looking at the raw EML. And that's when we started to notice the embedded QR code. We looked at the PDF, this again, embedded QR code in the PDF doc itself. And that's when we started to notice not only had this successfully got to folks' inboxes, but it had also gotten by the existing URL scans from like a Microsoft Defender standpoint. Well, for folks who might not be familiar with the term, can you unpack what exactly quishing is? Yeah, absolutely. So the idea here is classical phishing being a method that attackers can use to try to do social engineering in order to get users and victims to click on links. That's typically how you would classically think of this. Click on links, send information, some kind of call to action and QR code phishing, phishing is similar. similar. However, instead of actually using a URL, which most security tools are really good at scanning for, this is an image that's either embedded as part of the email, almost like a signature or as an attachment. And the QR code itself has an encoding of a URL, but it's not visually accessible to most security scanning tools. So that QR code, you scan it with your phone typically. It takes you to a URL in a domain, and that's kind of where the attack occurs. It's able to either download software, take you to a malicious domain, and do other nefarious actions just using that encoded URL. Well, let me highlight an aspect of that and dig in a little bit with you. And that's the role that mobile devices played in helping this campaign slip past most people defenses Yeah you absolutely right That one of the most powerful parts about questioning as a whole is typically when people scan QR codes they don realize that they can scan it with their local device, with their laptop, for example, where they've received the email. But most people are very used to, let's say at restaurants, especially after COVID, scanning a QR code on a table and going to the link that it directs you to. So it's actually become a really natural process for people to be like, oh, that's a QR code that has a link. let me go ahead and scan it and see where it takes me. And they'll do it on their personal devices, which are no longer going to be under the detection and the security of their, you know, enterprise networks with things like CrowdStrike or other EDR tools. Now, these emails, they passed through a lot of checks. I mean, things like SPF and DMARC and Defender. How unusual is it for a campaign to be able to jump through those hoops? So that was actually really surprising. And upon first glance, I was like, oh, it's very interesting that it was able to get through that. And it wasn't until we dug a little deeper that we understood why. It's actually extremely unusual. Typically, what you'll find is most phishing campaigns will fail at least one of those. And if it doesn't fail at least one of those, it typically fails on the side of how old the domain is in which they're sending emails from. So in a classical campaign, you'll see failures to security headers like the ones that you mentioned. And then the other thing that happens is typically the domain that people are emailing from will be registered within maybe the last month, few days. And so that's always a red flag for many security providers is, oh, this is a very new domain. We've never received emails from it before. It's only about a week old. That is a red flag. In this particular case, the attacker did something quite interesting. They actually seem to have taken ownership of a domain that already existed. And so they were able to benefit from both the security headers that had already been configured, as well as the ownership of that domain and its history. And so in a lot of ways, they were able to avoid classical, you know, traits of what would be considered phishing. And at first, we were like, maybe this is a false positive, but the scale and the automated nature and the actual behavior we saw of the payloads really is what pointed us towards this is actually a full-scale campaign. Well, let's dig into the scale and sophistication. That's really a noteworthy element here. The research talks about over 1.6 million related emails that were sent elsewhere. Yeah. So that number is really an interesting one. And the reason we noticed it is because that number is an approximation. There's no guarantee of that number of emails. However, every single email, every PDF, and every QR code was enumerated. Every single one that was sent, especially the ones that were sent in immediate succession, were incremented by one. And so it was almost used in two ways. One, that unique ID made it so that the hashes of both the PDS and the QR codes were unique. And so you couldn't rely on traditional hash blocking or exclusion. In addition to that, the actual malicious actor would have been using those IDs as a way to both uniquely identify a user that they emailed to keep track or potentially use it as a way to count the number of emails being sent. And so what's interesting here is in between the first and second waves that occurred, it appeared that almost 1.6 million emails may have been sent or at least PDFs and QR codes generated between those two waves. Well, speaking of waves, what does the fact that they were going out in waves say about their reconnaissance or their targeting strategy? Yeah, so this one is really interesting. The first wave actually included a series of managers and the second wave appeared to have included a series of their subordinates. And so what was happening is this very fascinating trend of one, the emails were getting through. They're using what is publicly available potentially on things like LinkedIn to understand hierarchy, maybe roles or groups. And then on top of that, one of the most interesting parts is this almost creates this false sense of history. Now this domain is no longer new, while their superiors received an email from this domain So this creates this really big full sense of security We'll be right back. Maybe that's an urgent message from your CEO, or maybe it's a deepfake trying to target your business. Doppel is the AI-native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back, from automatically dismantling cross-channel attacks to building team resilience and more. Doppel, outpacing what's next in social engineering. Learn more at doppel.com. That's D-O-P-P-E-L dot com. Another detail that you point out is that the attackers seem to be learning from auto-reply messages. What kind of value does that sort of confirmation have to a threat actor? Yeah, absolutely. So sometimes sending emails can be like into the void, especially for a bad actor. you know we all joke about our emails at work you know what is the format is it your first last name first initial last name there's all these variations of what is classical in terms of email enumeration and so for an attacker to actually succeed and get an auto reply that tells them two different things one is you figured out what the format is that company uses for their email addresses. And that's repeatable. The second thing they figured out is this is a real user at this company that can receive emails and your email was successfully delivered to their inbox. That second or this last piece that successfully delivered to their inbox. Now that is important because it means you are getting past whatever security they have in place for their emails. And it's even allowing an auto reply. You talk about using AI as part of the triage process here. And I suppose that has to do with the scale of what you were trying to analyze? Yeah, so it's actually a little unique. So as I mentioned earlier, the 7AI product, the one that we support, is entirely AI-driven in several ways. AI is leading the investigation, running queries against a customer's SimSor products, their enrichment products, and is really trying to do a full-scale investigation to help support analysts in their workload and help triage and give analysts priority. And in this particular case, what happened was twofold. One was that the AI did the initial investigation and correctly flagged it as something that was quite suspicious. And then we have this feature in our product called Threat Hunt that allows us to dive even deeper. And what we did is we basically told AI about what we were worried about, told our existing agents what we were concerned about, and it was able to go forth and run additional queries to do further identification of emails, users, click history, anything that it could find related to these particular email addresses and PDF files. And so this was really an interesting exercise in the scale in which security-driven AI can really help to detect these in a way that can be quite difficult for traditional store SIM EDR products and go a step further as to allow for user interaction with your own consoles. Do you suppose that there's still a misconception or are people underestimating the potential of QR code phishing? Oh, absolutely. I think that there are obviously going to be products out there they're going to try to do the work of doing like a semantic or an image analysis of things like QR codes. But it takes a lot of effort to do that, to actually be able to check for the existence, one of QR codes, but then also do the work to scan the image and understand what URL is encoded there. It's a multi-step process and most products aren't going to do that natively. And so it really important to both teach your employees and your organization about the risks of QR codes as a whole even in public outside of the email world Seeing a QR code on a post randomly in the wild is probably not something you should be scanning unless you're pretty confident that it's a venue to the restaurant you're at. So I think QR codes as a whole are quite dangerous because they feel so plain. Yeah, I seem to always run into them when I'm pumping gas at the gas station. There's a QR code on the gas pump and I resist the temptation because who knows who stuck it there or stuck their own QR code over top of the legit one. Yeah, and it's kind of this funny thing of like security as a practice is teaching people to be skeptical. it becomes really difficult when even the most mundane things, the things that we're used to being helpful, are also inherently suspicious. For the defenders in our audience, what are the biggest take-homes you think they should take away from this research? Yeah, I think the very first one is doing that due diligence and tracking of either user-reported phish. I mean, the initial alert that we got was a user-reported phish and tracking to see if that email is present in other places in their environment. This type of campaign had the team actually realize that not only was it one user reporting this email, but that that email address had actually been sent much more widely. That would have been a key red flag that they would have used to better understand the scale. The other thing is, at this point in time, education about QR codes. I think that most products don't have the scale of support most people need related to QR codes. And so it has to come down to education until the products can catch up. In a lot of ways, QR codes still feel kind of how images may have felt or, you know, attached Excel files may have felt when phishing really first came out. And now we just need the tech to really catch up. And I think there are products out there that are supporting this, but probably not in a very classical sense. We didn't see it in this case with Defender, but there might be other products out there that can support it. All right. Well, Juliana, I think I have everything I need for our story here. Is there anything I missed, anything I haven't asked you that you think it's important to share? I think the only other thing that I would note is the IOCs related to this particular incident were made public. We did publish them to allow for users to create their own detection rules. This particular campaign seems to have been quite large in terms of both the delivery and the scale of the attack. And so I do want to caution other users for this particular attack, considering the fact that it did get past classical Microsoft Defender, especially if you're using O365 as your primary email security platform. In addition to that, the only thing I would add is that the QR codes themselves were completely embedded. And so taking a look at EML files for embedded images is another important step towards security. Our thanks to Juliana Testa from 7AI for joining us. The research is titled Quish Splash, When the QR Code is the Weapon, a multi-wave phishing campaign that slipped past every filter. We'll have a link in the show notes. And that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Iben. Peter Kilpie is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. you
