Recent QRishing Attack Exploits Microsoft and Cloudflare

Vade has detected a recent phishing attack targeting a US-based MSP. Only a single employee received the malicious email, which bypassed detection by Microsoft’s native security features. In this post, we examine the steps of the QRishing attack and provide measures you can take to stay protected.

Recent M365 QRishing attack

The attack begins with a phishing email alerting the user that they need to reactivate their MFA. “Multi-Factor Authentication (MFA) is no longer active on your organization account. To help keep your account safe and secure. Please reactivate your authentication by following the instructions on your device.”

QRishing attack – QRishing email

QRishing email

The phishing attempt appears to be a support ticket notification, with the display name spoofed to include the name of the targeted MSP. The body of the email features logos for Microsoft and Microsoft Authenticator to create the illusion of credibility. It also features a call-to-action that encourages the user to scan a QR code with their smartphone.

To earn the victim’s trust, the QR code also displays Microsoft’s logo.  

Note: As a security measure, Vade has redacted the QR code below and replaced it with a safe image pointing to


QRishing attack – Microsoft-branded QR code

Malicious Microsoft-branded QR code

Hackers often use QRishing to bypass detection by less advanced email security solutions. The technique attempts to hide the phishing link and trick email filters into concluding that the QR code is an innocuous image.

White Paper Microsoft 365: Protecting Your Business in the New Threat Landscape


QRishing attack – Fake security check webpage

Fake security check webpage


Once the victim scans the QR code, they can navigate to the embedded webpage. The top-level domain (TLD) of the malicious domain is .ru. If the victim taps on the link, it takes them to an illegitimate security webpage that simulates a security scan. The phishing page features attributes and behaviors observed in another recent attack first detected and reported by Vade.

Once the fake scan is complete, the webpage refreshes to display a green checkmark and the word “Success” to indicate that it passed the safety inspection. The phishing page is hosted by Cloudflare, enabling the hackers to benefit from the antibot mechanisms from Cloudflare.

QRishing attack – Destination M365 phishing page

Destination M365 phishing page


Next, the phishing attack directs the victim to an M365 phishing page. Vade has verified that the domain was recently created. The fake login form is likely used to harvest the victim’s credentials and gain access to their M365 account. This would enable hackers to exfiltrate sensitive data, spread malware, facilitate vendor email compromise, and more.

Takeaways from QRishing attack spoofing M365

Vade has detected an increase in M365 QRishing attacks in recent months. This includes campaigns that use compromised WordPress websites as a first hop before redirecting the victim to a phishing webpage published on InterPlanetary File System (IPFS), a file sharing peer-to-peer network.

This M365 QRishing attack uses several techniques to bypass detection and prevent analysis by email filters. By embedding a phishing link in a QR code, hackers can bypass detection from email filters that don’t use Computer Vision or more simply QR code detection/reading.

The attack also uses common image impersonation and email spoofing to gain the victim’s trust and avoid any suspicion.

In addition to enhancing the appearance of legitimacy, the phishing page hosted by Cloudflare is designed to intercept analysis by email filters and prevent them from reaching the destination M365 phishing page.

How to stay protected against the attack

To protect your users and organization protected against this attack, you should engage in several important practices.

To start, educate your users on how to spot phishing attacks and practice good cyber hygiene. Phishing awareness training addresses the reality that users are the greatest vulnerability in your attack surface. When it comes to QRishing specifically, users should receive training that discourages them from scanning QR codes from unknown sources or tapping links without first verifying them as safe and legitimate.

You should also consider adopting an integrated email security solution from a third-party vendor. Layering email security onto M365’s native capabilities can catch threats that Microsoft misses, such as this QRishing campaign. Importantly, look for solutions that leverage Computer Vision, which detects phishing links embedded in QR codes and more advanced image-based threats. Also, consider solutions that provide extended protection from mailbox to browser, including mobile devices. Smartphone and tablets make it more difficult for users to spot and handle phishing attacks.

Vade for M365 is powered by a sophisticated AI engine that leverages Machine Learning, Computer Vision, and Natural Language Processing (NLP) models to catch all text- and image-based threats used by attackers. The solution now offers Vade Remote Browser Isolation (RBI), which provides an additional layer of protection against email-to-browser threats for desktop and mobile devices.

White Paper Microsoft 365: Protecting Your Business in the New Threat Landscape