How QR Code Phishing Bypassed Microsoft MFA

What We Observed in This Attack

We observed that a targeted spear-phishing email containing a QR code was sent to an Accounts Payable user, bypassing Microsoft Defender for Office 365. When the QR code was scanned, it redirected the user to an Adversary-in-the-Middle (AiTM) phishing page, which covertly transmitted the MFA session token to an attacker, rendering MFA protection ineffective.

The attacker remained undetected within the environment for over two weeks, accessing financial SharePoint sites, manipulating vendor email threads, and suppressing security notifications, before being identified and fully contained.

Incidents like this underscore the importance of continuous monitoring through Managed Detection and Response (MDR) services or a dedicated 24/7 Security Operations Center (SOC) that can detect anomalous sign-ins and suspicious inbox rule creation in real time.

How the Attack Phishing Attack Worked: Step by Step

• The QR code is a critical component to understand. Unlike a malicious link, which email security tools can scan and neutralise, a QR code is simply an image at the point of delivery. Its encoded URL remains hidden unless the security stack actively decodes it.
• The attacker embedded the QR code within a .eml attachment, adding an extra layer of obscurity, which proved effective—one out of three phishing emails bypassed security filters.
• Upon scanning the code, the user was directed to an AiTM proxy page closely mimicking the Microsoft login experience in real time. The user completed MFA as usual, unknowingly sharing their session token with the attacker.
• Unbeknownst to them, the proxy intercepted the authenticated session token, allowing the attacker to replay the session from their infrastructure using automated tools, bypassing both credentials and MFA challenges.
• Sign-ins were observed from IPv6 addresses, with attackers notably signing in from USA locations to evade detection. The use of the axios HTTP client, which facilitates HTTP requests in both browser and Node.js environments, was instrumental in bypassing MFA in O365. The attackers left an axios/* user-agent signature in the sign-in logs.
• Once inside, the attacker gained access to both the user’s mailbox and the Accounts Payable shared mailbox.
• Over the following weeks, the attacker accessed sensitive SharePoint sites, created hidden inbox rules to archive security-related emails, registered their own MFA device for persistence, and made several attempts to manipulate vendor bank details.
• One attempt involved registering multiple typo-squat domains on the same day to initiate new email chains and infiltrate existing ones, signalling a clear exfiltration effort. Although no fraudulent payments were confirmed, the risk was significant.

Key Indicators Identified

What This Means for Organizations Using MFA

AiTM phishing completely undermines traditional MFA at the session level, and QR codes allow attackers to evade email security detection. The attacker had unrestricted access to financial mailboxes, engaged in live conversations with vendors about bank changes, and suppressed inbox notifications to remain undetected.

Ultimately, a fraudulent payment was averted only because a recipient noticed suspicious activity.

How to Prevent QR Code Phishing Attacks

• Educate user on phishing tactics used by the attackers and train them using relevant and periodic trainings.
• Add QR code inspection to your email security stack. This is the gap that enabled initial access. Without it, this attack vector remains wide open.
• Send alerts on new MFA device registration on existing accounts. In this incident, the attacker registered a persistence device three days in. That event should never be silent.
• Enable Phish-resistant Authentication for all users and especially privileged users.
• Enable Sign-ins from Compliant Devices Only and enable device token protections in Azure Entra ID.