October 2, 2023

Researchers have spotted a phishing campaign that combines QR codes, expired Bing URL redirect links, and spoofed Microsoft security email targetted a large U.S. energy company in a test run for a wider upcoming Microsoft credential-stealing campaign.

The use of QR codes can be an effective way to trick mobile users into visiting malicious websites where they may unwittingly pass on credentials and personal information or have funds stolen.

Cofense security research is tracking an escalation of new QR code-based phishing campaigns over the past months and observee more than 1,000 emails containing malicious QR codes sent since the campaign began in May. The threat actors’ aim was to steal the Microsoft credentials of users from a wide range of industries, although a large, unnamed U.S.-based energy company had been the most prominent target, accounting for about 29% of the attacks.


Redirect URLs are generally used for marketing purposes and contain a “marketing string” used to track users’ search engine activity. In this campaign, the URLs also contained a Base64 encoded phishing link plus the victim’s email address.

Cofense observed the attackers using included krxd[.]com, which is associated with Salesforce’s SaaS solution and cf-ipfs[.]com, used for Cloudflare’s Web3 services.

The exponential growth in the number of phishing emails sent by the threat actors since the campaign began in May appeared to support the researchers’ activities.


The major focus of the campaign had been the energy sector, and the threat actors had also targeted other industries, most notably manufacturing, insurance, technology, and financial services.

There had been a large spike in emails sent in the second half of June, mainly targeting the large energy company, with activity ramping up again a month later, this time targeting the energy sector more broadly, plus other industries.

Mobile phones generally displayed a QR code’s target URL and asked the user to verify it before opening the page in a browser. While this offered a layer of protection, threat actors’ use of trusted URL redirects was an attempt to circumvent that protection.

Leave a Reply

%d bloggers like this: