If You See A QR Code In Your Office Email, Think Twice Before Scanning It

Hackers have found a new way to scam you but this one could not just affect individuals but also hit entire organisations and companies. Cybersecurity researchers at Microsoft have warned that QR code phishing attacks are rising rapidly as fraudsters are now using fake emails, PDF files and even CAPTCHA pages to steal login credentials from users.According to Microsoft Defender Research, cybercriminals recently targeted more than 35,000 users across over 13,000 organisations in 26 countries. Most victims were in the United States, but the attack method can easily be used anywhere, including India.The scam starts with what looks like a genuine office or HR-related email. These emails often mention compliance issues, internal conduct reviews,

or policy violations to create panic and urgency. The message then asks users to open an attached PDF file or scan a QR code to review 'important documents'."What makes these attacks dangerous is how real they look. The emails use professional layouts, official-sounding names, and even trusted services to appear legitimate," the Microsoft researchers said in a blog post.Canvas Hacked: ShinyHunters Breach Affects Harvard, Duke, Princeton, UPenn; Paralyzes College Finals Prep

In some cases, users are shown CAPTCHA verification pages before reaching the fake login screen. This extra step makes people believe the website is secure and genuine.Once users continue, they are redirected through multiple pages that finally lead to a fake Microsoft sign-in screen. Here, hackers use what is known as an adversary-in-the-middle (AiTM) attack. In simple words, the scam page secretly captures login sessions and authentication tokens in real time. This means attackers may gain access to accounts even if multifactor authentication (MFA) is enabled.As per Microsoft, QR code phishing and advanced email scams are becoming harder to detect because attackers are now combining social engineering with legitimate-looking tools and websites. Traditional spam filters may also fail to identify such emails because the messages appear authenticated and professionally designed, the tech giant said.The company has advised organisations to improve employee awareness, enable phishing-resistant MFA methods and use advanced email protection tools. Users are also advised not to blindly scan QR codes received through emails, especially if the message creates fear or pressure.ShinyHunters Breach: When Will Canvas Be Back Up? Experts Advice List of SchoolsAccording to Cybersecurity experts, the biggest red flag is urgency. If an email asks you to immediately verify your account, review a complaint, or scan a QR code for confidential information, it is better to verify the sender first before clicking anything."Organisations can defend against financial fraud initiated through phishing emails by educating users about phishing lures, investing in advanced anti-phishing solutions like Microsoft Defender for Office 365 and configuring essential email security settings, and encouraging users to employ web browsers that support SmartScreen. Organisations can also enable network protection, which lets Windows use SmartScreen as a host-based web proxy," the researchers said in a blog post.