top of page

Quishing on Labor Day


quishing


Happy Friday My Friend Over the past month researchers uncovered a new quishing campaign targeting Microsoft Office users by using Microsoft Sway, a free on-line alternative to PowerPoint that's now causing huge problems for Microsoft.


What is quishing? It sounds sus.


Quishing is when bad guys insert a QR code into an email, website or in public places such as parking meters and try to get victims to use their phones to scan a QR code. Phones don't typically have security safeguards on them, so the QR code can take victims to fake login pages (to steal usernames, passwords and private info) or malware infected sites that download spyware onto phones.


The pandemic normalized QR code scanning. Before then it was pretty fringe and something that mostly nerds like me played with. And, as you guessed it the bad guys have taken advantage.


What is Microsoft Sway and how are hackers using it to quish?


Sway is a free app that's part of Microsoft 365 that allows users to create interactive designs for presentations, newsletters, documentation, and more. The bad guys are setting up fake accounts, making presentations with a malicious QR code, then sending out email invites.


They're targeting US based companies in the technology, manufacturing and finance sectors. The reason they're having such success is that a) the emails are coming from legitimately created Microsoft accounts and b) email scanning services such as Defender, Proofpoint and Mimecast can't scan QR code images for malicious links, so they're ineffective against these types of attacks.


The Takeaway


When in doubt, check the website url of the site that the QR code took you to. The bad guys can make convincing websites but have a hard time making the url appear legitimate.Most mobile phones, including company issued ones don't have the same kind of lockdowns computers do. This means that bad website links can be opened from them by accident.The most important thing is to not download Apps that may pop up after scanning a QR code. If you're on a site that seems to be asking you for a password or any personal information, close it right away.Use common sense - the bad guys are more clever than ever.


Stay safe out there.

-A


New Friday Funnies


A woman in labor suddenly shouted, “Shouldn’t! Wouldn’t! Couldn’t! Didn’t! Can’t!”

The doctor replied “Don’t worry, Those are just contractions.”

(It was a great delivery from the doctor...)


Most people enjoy the day off on Labor Day except for fire.

Fire works on Labor Day






jason

Have you met Jason? Jason Richard is the newest addition to the Cypac team.Fun fact: Jason can do one-handed pushups. Can you?Feel free to email him at jason@cypac.com to say hi or give him a ring at 808-797-2767




Comments


bottom of page