Sep 27 2023 11:32 PM
Is it possible to block emails containing QR CODE?
Sep 28 2023 01:36 AM
@lucanz73 Emails containing QRcodes are phishing emails. means you need to configure the anti-phishing policy in MDO and those emails will automatically be detected as anti-phishing and you can decide whether to reject them or quarantine them.
Oct 01 2023 01:21 PM
Oct 13 2023 02:09 AM
Oct 13 2023 03:37 AM
Oct 13 2023 04:18 AM
Oct 13 2023 05:46 AM - edited Oct 13 2023 05:47 AM
You can create a custom detection rule on Microsoft Defender to act on possible Quishing emails, setup actions to delete the mails or move them to junk (preferable cos of possible false positives)
let image_extensions = dynamic(["jpg", "jpeg", "png", "bmp", "gif"]);
EmailAttachmentInfo
| where Timestamp > ago(1h)
| where FileType in (image_extensions)
| where FileName matches regex "^[A-Z0-9]{9,10}\\.[A-Za-z0-9]+$"
| where SenderFromAddress !contains "Org domain" //Exclude your corporate domain
| where RecipientObjectId != ""
| join EmailEvents on NetworkMessageId
| where not (EmailDirection has_any ("Intra-org", "Outbound"))
| where DeliveryAction != "Blocked"
| where DeliveryAction != "Junked"
| where not(LatestDeliveryLocation has_any ("Quarantine", "Delete"))
,
Oct 13 2023 07:35 AM
Oct 17 2023 01:05 PM
Oct 17 2023 11:58 PM
Nov 07 2023 06:35 PM
Nov 16 2023 10:32 AM
Microsoft urgently needs to add QR code detection into EXOP. The QR codes bypass essentially all existing protections. KQL queries like the one in this thread are no longer effective, as they rely on specific filename patterns and attackers have already adapted. EXOP should be able to detect QR codes and handle the URLs just like it handles any other links. There should also be an option to block all QR codes. Or perhaps replace QR code images with a SafeLinks HTML link.
This threat is not going away, and the current tools are not able to adequately mitigate it.
Nov 17 2023 01:09 PM
Nov 17 2023 01:16 PM
@ExMSW4319Agreed - at a basic level we need to know if a message contains a QR code or not. Detecting URLs, safelinks translation, etc would be nice to have. Detecting if a QR code exists or not is essential.
Fancy look codes gets much more crazy than just psychedelic colors - look up what people are doing with stable diffusion and QR codes. The good thing is, the whole point of QR codes is to be easily detectable. So, standard detection algorithms should do a pretty good job and keep compute resource requirements relatively low.
Nov 29 2023 08:11 AM
Nov 29 2023 03:27 PM
@KD8AVA404 Can I ask for a link of their MDO? Thanks
Dec 07 2023 02:43 AM
We have implemented all the required policies but still such email are being delivered to users.
What all other things should be implemented in MDO and MDE I saw your post saying we can implement the below controls from MDO and MDE.
Dec 07 2023 04:23 AM
@VinodS2020 Hi now the QR detection is enabled by default in MDO now and any QR code phishing emails should be detected automatically by MDO now
Dec 07 2023 06:51 AM
Can we see that settings or configurations in MDO? Also do we need to implement or deply below policies or not required?
Dec 07 2023 07:20 AM