While this method isn’t new, it remains a prevalent phishing tactic.

It works by diverting users away from their secured devices, prompting them to scan and log in via their phones, which are often unmanaged. These devices typically lack protection from Microsoft Defender for Endpoint (MDE) and Defender for Office (URL Click).

Configuring Conditional Access (CA) can block sign-ins from unsupported or unmanaged apps on personal devices, ensuring only official Microsoft apps are used. Identity protection is vital in this scenario, as phishing attempts are frequently detected after the fact.

Recommendations

To mitigate the risk of phishing attacks involving QR codes targeting Microsoft accounts, follow these steps:

  • Provide training and raise awareness about QR code phishing, as it is uncommon for documents to include QR codes directing users to external sites.
  • Implement Conditional Access to prevent users from signing into their Microsoft accounts on personal devices.
  • Where applicable, use Entra SSO with third-party applications to protect access and enable monitoring through existing identity protection tools.