Blog.

This feature is now available to all users!

Introduction

Over recent months we have had increasing reports of phishing attacks shifting to the use of QR codes in their lures rather than relying on embedded links. As detections and anti-phishing measures have improved and made it less likely that users will be able to access malicious links from inside managed email accounts especially, threat actors have had to adapt to increase their infection rates. By using QR codes embedded URLs are hidden from standard detection/filtering techniques, preventing security solutions from blocking them before they reach users. There is of course a cost to this as well since loading a QR code requires a lot more interaction from the user than just clicking a link, but based on the regularity with which this vector has been seen recently it is evidently considered to be effective regardless.

In order to enable easy analysis of these URLs we have now added support for QR codes within the Triage sandbox, enabling easy submission of these phishing attempts for verification. This short blog post will introduce the new feature and cover some basics on how to use it fully.

How to submit a QR code

With this new feature there are currently 2 methods to submit a QR code to the sandbox:

1. Directly as an image file like .png, .jpg, etc. This also includes those contained with archive files (.zip etc.)
2. Embedded within emails which can be uploaded in .eml or .msg format. In this case the sandbox will extract images and run detection over them as above.

The image above shows an .eml file submitted with some text and an embedded QR code in the body. The highlighted areas show the key steps in processing this file:

1. Any file which is found to contain a QR code will receive the QR tag. This is indexed like our other analysis tags, enabling quick searching for any such submissions using the search term tags:qr.
2. The File Tree shows all files extracted from the .eml. Note that in order to run a URL from a QR code no files need to be selected here (by default image formats are not supported for behavioural analysis), though of course if there are other files of interest in the list like executables those can be selected to run as usual. The .eml/.msg itself should not be selected at all. In this example it is best left on default settings.
3. All URLs extracted from the QR code(s) will be shown in this Extracted URLs section on the right. The sandbox will not automatically launch URL analysis on these due to the potential for there being lots of perfectly benign links, for example in company email signatures. To launch an analysis just click on the Analyze button next to the relevant URL.

Unless other files have also been selected in the File Tree for behavioural analysis, the Analyze button in the bottom floating footer can be disregarded completely.

Start a new URL analysis from the static report

What happens if the URL wasn’t run at submit time, and now a behavioural analysis has been run and the page shown above is no longer accessible? Extracted URLs are also listed in the static report, and a new URL analysis can be launched from there at any time.

First, if a QR code with a URL is detected then an informational signature will be shown in the report:

The extracted URLs will then be listed under the Files section at the bottom of the report (note the blue highlighting at the left of the hatching_test.png file marking this as the file that has signatures related):

As above just click the Analyze button to create a new analysis task for that URL - you will then be taken to the submission page to configure options like the browser, OS, etc.

We hope this has been a helpful guide on making use of this new feature. Thanks to everyone who reached out to us with examples and feedback around the need for this feature, as always it helps a lot in choosing what we need to prioritise. If you have any questions or issues please do feel free to reach out - you can contact us through the website or using the Feedback option on an analysis report page.

Not signed up yet? Head over to tria.ge to register for a free account!