@KarstenV59 

• Consider using config analyzer and preset security policies to ensure you always have the latest and greatest protection settings on for your organization.
• You should configure your mobile device policies to use Network Protection and Smart Screen supported browsers (such as Microsoft Edge) to extend protection to your mobile devices against the malicious URLs embedded in the QR Codes.
• We strongly recommend using multi-factor authentication and conditional access to help secure organizational accounts from credential theft.

@KarstenV59 @lucanz73 

You can create a custom detection rule on Microsoft Defender to act on possible Quishing emails, setup actions to delete the mails or move them to junk (preferable cos of possible false positives)

let image_extensions = dynamic(["jpg", "jpeg", "png", "bmp", "gif"]);

 EmailAttachmentInfo  

 | where Timestamp > ago(1h) 
 | where FileType in (image_extensions)
 | where FileName matches regex "^[A-Z0-9]{9,10}\\.[A-Za-z0-9]+$" 
 | where SenderFromAddress !contains "Org domain" //Exclude your corporate domain 
 | where RecipientObjectId != "" 
 | join EmailEvents on NetworkMessageId  
 | where not (EmailDirection has_any ("Intra-org", "Outbound")) 
 | where DeliveryAction != "Blocked" 
 | where DeliveryAction != "Junked" 
 | where not(LatestDeliveryLocation has_any ("Quarantine", "Delete"))

 

, 

@ExMSW4319Agreed - at a basic level we need to know if a message contains a QR code or not. Detecting URLs, safelinks translation, etc would be nice to have. Detecting if a QR code exists or not is essential.

Fancy look codes gets much more crazy than just psychedelic colors - look up what people are doing with stable diffusion and QR codes. The good thing is, the whole point of QR codes is to be easily detectable. So, standard detection algorithms should do a pretty good job and keep compute resource requirements relatively low.

@KD8AVA404  Can I ask for a link of their MDO? Thanks

@eliekarkafy 

We have implemented all the required policies but still such email are being delivered to users. 

What all other things should be implemented in MDO and MDE I saw your post saying we can implement the below controls from MDO and MDE. 

Link Here:  https://techcommunity.microsoft.com/t5/microsoft-defender-xdr/recieving-increasing-number-of-phishin... 

@VinodS2020 Hi now the QR detection is enabled by default in MDO now and any QR code phishing emails should be detected automatically by MDO now 

@eliekarkafy 

Can we see that settings or configurations in MDO? Also do we need to implement or deply below policies or not required? 

• Token Protection through Conditional Access 
•  Network Protection in block mode in MDE for both endpoint and mobile devices (iOS/ Android).
•  threat analytics in M365D
• Web content filtering in MDE to block parked/ newly registered domains categories.