{
	"id": "5068982b-b286-4fba-9e4b-3d55f8611cb6",
	"created_at": "2026-04-06T00:19:41.534151Z",
	"updated_at": "2026-04-10T13:12:50.966553Z",
	"deleted_at": null,
	"sha1_hash": "8acf0ea3b1a2e3e0e40dc7b59740e43a3487ab3f",
	"title": "Major Energy Company Targeted in Large QR Code Phishing Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 315235,
	"plain_text": "Major Energy Company Targeted in Large QR Code Phishing\r\nCampaign\r\nArchived: 2026-04-05 22:53:30 UTC\r\nBy: Nathaniel Raymond\r\nBeginning in May 2023, Cofense has observed a large amount of QR code phishing campaigns targeting the\r\nMicrosoft credentials of users from a wide array of industries.  The most notable target, a major Energy company\r\nbased in the US, saw about 29% of the over 1000 emails containing malicious QR codes. \r\nOther top 4 targeted industries include Manufacturing, Insurance, Technology, and Financial Services seeing 15%,\r\n9%, 7%, and 6% of the campaign traffic respectively. Most of the phishing links were comprised of Bing redirect\r\nURLs, but other notable domains include krxd[.]com (associated with the Salesforce application), and cf-ipfs[.]com (Cloudflare’s Web3 services). Learn more about Web3 abuse. Historically, QR codes are not a popular\r\nchoice due to the limiting nature of how QR codes are interacted with. \r\nHowever, they have several advantages over a phishing link embedded directly in an email. QR code delivery\r\nmethods have a much better chance of reaching an inbox as the phishing link is hiding inside the QR image, while\r\nthe QR image is embedded inside a PNG image or PDF attachment.\r\nKey Points\r\nA campaign has been observed delivering emails that spoof Microsoft security notifications that contain a\r\nPNG or PDF attachments in emails that ask a user to scan a QR code. The most notable target of the\r\ncampaign is a major US Energy company.\r\nThe average month-to-month growth percentage of the campaign is more than 270%. The overall campaign\r\nhas increased by more than 2,400% since May 2023\r\nQR Codes are not historically popular as they are limited in the way a user can interact with them.\r\nScanning a QR code is limited to the mobile device used, which provides a user with a sneak peak of the\r\nlink embedded in the QR code and verifies if the user wishes to go to the link.\r\nScanning a QR code on a mobile device puts the user outside the protections of the enterprise environment.\r\nCofense has not historically seen large malicious campaign(s) utilizing QR codes. This may indicate that\r\nmalicious actors are testing the efficacy of QR codes as a viable attack vector.\r\nThe Energy Company Campaign\r\nWhile the QR code phishing campaign affected multiple industries, a major US-based Energy company was the\r\nfocus. Most of the phishing emails contain PNG image attachments delivering Microsoft credential phishing links\r\nor phishing redirects via an embedded QR code, with the majority of them being Bing redirect URLs. \r\nhttps://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/\r\nPage 1 of 5\n\nEmail lures came in the form of updating account security surrounding 2FA, MFA, and general account security.\r\nThe Energy company saw 29% of the overall volume, however the company saw 81% of the campaign in which\r\nBing redirect URLs were being used.\r\nThe Bing Redirect URL \r\nA major contribution to the campaign is the Bing redirect as shown in Figure 2. While Bing is a legitimate domain\r\nowned by Microsoft, Bing redirect URLs that were originally meant for marketing purposes, can also be used for\r\nmalicious purposes. \r\nFigure 2 highlights portions of the Bing URL to include the marketing section, and the malicious section, and\r\nwhere the phishing link is encoded into base64. However, the link showcased below is a sample structure of most\r\nURLs seen in QR code phishing campaigns. \r\nThis tactic of encoding phishing links in redirects and sending the victim’s email with it is not new. What is\r\nimportant to note is that aside from hiding in QR codes, threats are abusing a trusted domain to carry attacks.\r\nAbusing trusted domains, using obfuscation tactics, coupled with hiding the URLs inside QR codes embedded\r\ninto a PNG or PDF attachment, helps ensure that emails bypass security and make it into inboxes. \r\nFigure 2: Bing Redirect URL \r\nOver 2,400% Increase in Malicious QR Code Phishing Volume \r\nAlthough the overall campaign was comprised of many domains, Bing redirect URLs shared the largest portion of\r\nthe campaign, comprising 26% of the overall campaign phishing links used in the QR Codes, followed by the\r\nSalesforce application URL taking 15%. Figure 3 shows the top 5 domains used in the campaign to distribute\r\ncredential phishing. \r\nFigure 3: Top 5 Domains Used in QR Code Campaign\r\nEven though the Energy company itself was observed to be the focus of the threats, the Energy sector was a major\r\nfocus for the campaign overall as demonstrated by Figure 4 followed by manufacturing. The increase in volume in\r\nthe Energy sector was due to a large 2-day campaign in late June as shown in Figure 6. \r\nhttps://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/\r\nPage 2 of 5\n\nFigure 4: Volume by Industry \r\nFrom the beginning of the campaign in May, we have seen an average month-to-month increase of roughly 270%\r\nwith May to June being the biggest jump of around 500% and around 155% from June to July as shown in Figure\r\n5. Since May, there has been an increase by more than 2,400% in QR code phishing in emails. \r\nFigure 5: Month-To-Month Volume\r\nTrend Analysis \r\nWhile it is impossible to predict the future of a phishing campaign, we can look at the historical trend beset by the\r\ncampaign itself. Figure 6 shows an upwards trend starting from May to August with a major outlier in late June\r\nwhere this can indicate testing and deployment phases. \r\nCofense observed that the outlier in question was the bulk of the emails with QR codes targeting the major Energy\r\ncompany. Around the middle of July begins a multi-weeklong campaign that has targeted a multitude of industries\r\nincluding the continuance of targeting the Energy sector.\r\nhttps://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/\r\nPage 3 of 5\n\nFigure 6: Volume Trends by Date\r\nThe Problem with QR Codes \r\nAlthough QR code phishing is advantageous for getting malicious emails into user’s inbox, they may fall short of\r\nbeing efficient in getting the user to the phish. This shortcoming is due to the nature of QR codes as they need to\r\nbe scanned by an image capturing device. While online scanners exist and will show you where the QR code is\r\ngoing, the user is prompted to scan the code with their mobile device’s camera as seen in Figure 1. \r\nHowever, modern mobile devices also show the embedded artifact and ask the user to verify the URL before\r\nlaunching a browser to the link which allows the user to see where the link is going before accepting. This is\r\nshowcased in Figure 7 where a mobile device shows that the QR code in question leads to cofense.com.  \r\nFigure 7: QR Code Verification \r\nThe QR Code Phishing Solution \r\nWhile QR codes do have legitimate reasons to be used, malicious actors also have reasons to use them as well.\r\nThe first is that QR codes with malicious artifacts can reach inboxes and the malicious link is hidden in the QR\r\ncode. Secondly, they can be embedded into other images to disguise the QR code as an image attachment, or\r\nembedded image in a PDF file. \r\nWhile automation such as QR scanners and image recognition can be the first line of defense, it is not always\r\nguaranteed that the QR code phishing will be picked up. Especially if it’s embedded into a PNG or PDF file.\r\nhttps://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/\r\nPage 4 of 5\n\nTherefore, it is also imperative that employees are trained not to scan QR codes in emails they receive. This will\r\nhelp ensure that accounts and businesses security remain safe. \r\nSource: https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/\r\nhttps://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/"
	],
	"report_names": [
		"major-energy-company-targeted-in-large-qr-code-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434781,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8acf0ea3b1a2e3e0e40dc7b59740e43a3487ab3f.pdf",
		"text": "https://archive.orkl.eu/8acf0ea3b1a2e3e0e40dc7b59740e43a3487ab3f.txt",
		"img": "https://archive.orkl.eu/8acf0ea3b1a2e3e0e40dc7b59740e43a3487ab3f.jpg"
	}
}