Latest Job Opportunities in India
Discover top job listings and career opportunities across India. Stay updated with the latest openings in IT, government, and more.
Check Out Jobs!Read More
QR Code Deletion Attack: Targeting Microsoft Users –
Post views: 1
Microsoft users are being targeted by a suppression attack that uses infected emails with weaponized QR codes.
This threat, which first appeared in early October 2025, takes advantage of users’ trust in QR-based authentication and device pairings to trick them into scanning codes that trigger information-stealing binaries.
When Gen Threat Labs experts discovered unusual QR attachments impersonating Microsoft branding in Office 365 for business notifications.
The compromised Azure CDN node carrying the staging payload delivery sequence was the destination for recipients who scanned the codes.
Researchers discovered many vectors of infection after they first appeared. One is a phishing email that instructs consumers to scan a QR code in order to fix an urgent security issue, and pretends to be a Microsoft Teams alert.
Gen Threat Labs researchers noted that victims saw familiar Microsoft logos and properly formatted links, which increased the campaign’s reach and success rate.
The impact extends to credential theft and system compromise. Once the QR code is scanned, victims receive a short URL that turns into a malicious redirector script.
Another prompts enrollment in Microsoft Authenticator, providing “enhanced login protection” when scanned. These lures seem genuine at first because a lot of companies are promoting QR-based multi-factor setup.
Researchers in Public Threat Labs He noted that victims saw iconic Microsoft logos and well-formatted links, which enhanced the campaign’s effectiveness and reach.
The impacts extend beyond system breaches and credential theft. Victims receive a shortened URL that leads to a malicious redirector script after scanning the QR code.
Before downloading the Packaged Infostealer (PI) executable file, this script checks the Windows language, installed Defender versions, and sandbox indicators.
By creating a scheduled task called “MSAuthSync,” which is guaranteed to run on every user login, this software creates persistence. Host telemetry and extracted credentials are filtered to attacker-controlled endpoints over HTTPS.
Mechanism of infection
The QR AV code evasion approach to this attack is a major advance. The malware splits the code into two overlapping images created using PDF content streams instead of encoding a single QR image.
A custom parser recombines image layers before decoding, while typical QR decoders ignore non-standard color palettes and split segments.
The following Python snippet demonstrates how a defense can read and reconstruct split QR codes:
| From PIL import image import zbarlight # Load two layers of the image Layer1 = Image.open(‘qr_part1.png’).convert(‘RGB’) Layer2 = Image.open(‘qr_part2.png’).convert(‘RGB’) # Recombine by taking the brightest pixel from each Merge = Image.new(‘RGB’, Layer1.size) pixel1, pixel2 = layer1.load(), layer2.load() For x in range (layer1.width): For y in range (layer1.height): pixel = pixel1(x,y) if sum(pixels1(x,y)) > sum(pixels2(x,y)) else pixel2(x,y) merged.putpixel((x,y),pixel) # Decode built-in QR code codes = zbarlight.scan_codes(‘qrcode’, built-in) print(“Decoded URL:”, decode(0)) |
This method underscores the need for tiered analysis in contemporary phishing efforts by showing how weaponized QR images can evade both static AV signatures and unsuspecting eye scans.
About the author:
Yogesh Nagar He is a content marketer specializing in the cybersecurity and B2B space. Besides writing for News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read more:
Vulnerabilities in 7-Zip allow attackers to run any code remotely
About the author
