QR Code in Fake Benefits Handbook Links to Phishing Site
Attack Overview
Step 1: Phishing Email Posing as HR Update
The attacker impersonates the internal HR department and sends an email about an updated employee benefits handbook.

- Appears to come from an internal HR email address.
- Language references benefits update.
- Includes personalized greeting using recipient’s name.
Step 2: Malicious Attachment Contains QR Code
The email includes a Word document attachment labeled as the updated benefits handbook, containing a QR code.

- Attached document is macro-free to avoid detection.
- QR code is embedded directly in the file.
- Scanning the code leads to an external site.
Step 3: Fake Microsoft Login Page with Cloudflare Turnstile
The QR code directs the user to a credential phishing site. The page mimics a Microsoft login prompt and includes a Cloudflare Turnstile to enhance perceived legitimacy.

- Cloudflare Turnstile on landing page delays detection and enhances realism.
- Site branding closely mimics Microsoft.
- Site harvests login credentials if submitted.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- File is a benign Word document without macros.
- QR code conceals the final phishing destination from link scanners.
- Language and sender appear consistent with HR updates.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Abnormal sender behavior and a new sender-recipient relationship.
- Thematic content and urgency around HR messaging.
- Behavioral analysis triggered based on delivery patterns and uncommon attachments.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.