Skip to main content

Block Potential Quishing in Email

· 4 min read
Contextal Team
Contextal Team
Contextal Platform Creators

Quishing (QR Code Phishing) attacks have been growing in the last two years, as threat actors continuously adapt their techniques. Unlike traditional phishing emails that contain suspicious links, quishing attacks embed QR codes in email attachments, such as PDFs or Office documents, tricking users into scanning them with their mobile devices. Since QR codes are image-based and cannot be inspected without special processing, they often bypass traditional URL filters and email security measures.

To make these attacks more effective, cybercriminals often use freshly registered domains or popular URL shorteners to mask their phishing links. Some campaigns also utilize of public file-sharing services (such as Google Drive or Dropbox) to distribute malware or credential-harvesting pages. This makes Quishing a highly deceptive and effective social engineering attack.

Contextal Platform, with its advanced contextual analysis capabilities, can detect Quishing attempts by examining the entire email structure and analyzing embedded QR codes within attachments. Using ContexQL, we can write a scenario that identifies Email based phishing attempts based on multiple factors:

  • The presence of a QR code inside an attached document (PDF, Office, or ODF)
  • Whether the QR code contains a link
  • If the link points to a domain that was registered recently
  • If the domain belongs to a commonly abused URL shortener
  • If the link redirects to a public file-sharing service often abused in phishing campaigns

Below is a ContexQL query that detects emails containing an attached document with a QR code, that may have signs of quishing:

object_type == "Email" && @has_descendant(
  /* Since the documents could be embedded at deeper levels (e.g., inside an archive),
   * we use @has_descendant instead of @has_child()
   */
  (object_type == "Office" || object_type == "ODF" || object_type == "PDF")
  && @has_descendant(
    /* Check for QR Code */
    @has_symbol("QRCODE")
    && @has_descendant(
      /* The QR Code contained a link from which a valid internet domain was extracted */
      object_type == "Domain" &&
      (
        /* Check if the domain was created less than 30 days ago */
        @match_object_meta($age_days < 30)
        /* OR if it's one of the URL shorteners often abused by phishing actors */
        || @has_name(iregex(r"(bit\.ly|tinyurl\.com|rebrand\.ly|is\.gd|cutt\.ly|shorte\.st|gg\.gg|ow\.ly|clck\.ru)"))
        /* OR one of the popular file-sharing services */
        || @has_name(iregex(r"(dropbox\.com|drive\.google\.com|onedrive\.live\.com|box\.com|mega\.nz|mediafire\.com|icloud\.com)"))
      )
    )
  )
)

We use it in the provided scenario to issue a BLOCK action. You can further customize this query to your specific needs. For instance, you may adjust the domain check - learn more how threat actors utilize newly registered domains.

info

Click on the download button below to get the scenario and then upload it using Contextal Console or the ctx command line tool (when using the latter, don't forget to reload remote scenarios after adding a new one!)

Possible-Quishing.json
{
  "name": "Possible Quishing",
  "min_ver": 1,
  "max_ver": null,
  "creator": "Contextal",
  "description": "Block documents delivered via e-mail, which have signs of quishing, see https://platform.contextal.com/scenarios/block-quishing",
  "local_query": "object_type == \"Email\" && @has_descendant(\n  /* since the documents could be embedded at deeper levels (eg. inside an archive),\n   * we use @has_descendant instead of @has_child()\n   */\n  (object_type == \"Office\" || object_type == \"ODF\" || object_type == \"PDF\")\n  && @has_descendant(\n    /* check for QR Code */\n    @has_symbol(\"QRCODE\")\n    && @has_descendant(\n      /* the QR Code contained a link out of which a valid internet domain was extracted */\n      object_type == \"Domain\" &&\n      (\n        /* check if the domain was created less than 30 days ago */\n        @match_object_meta($age_days < 30)\n        /* OR if it's one of the URL shorteners often abused by phishing actors */\n        || @has_name(iregex(r\"(bit\\.ly|tinyurl\\.com|rebrand\\.ly|is\\.gd|cutt\\.ly|shorte\\.st|gg\\.gg|ow\\.ly|clck\\.ru)\"))\n        /* OR one of the popular file-sharing services */\n        || @has_name(iregex(r\"(dropbox\\.com|drive\\.google\\.com|onedrive\\.live\\.com|box\\.com|mega\\.nz|mediafire\\.com|icloud\\.com)\"))\n      )\n    )\n  )\n)",
  "context": null,
  "action": "BLOCK"
}