This article explains how QR Code scanning will allow Mimecast to scan the URL payload from a QR Code to determine if it is a phishing or credential harvesting site and is intended for use by Administrators.
Prerequisites
-
-
- Basic Administrator role or above for the Mimecast Administration Console.
- A URL Protect Policy has been configured and enabled.
-
QR Code Scanning
QR Code Attack Scenarios
In a potential attack scenario, Mimecast has identified malicious phishing attacks delivered by QR codes:
-
-
-
Malicious QR Code in the email message body.
- Malicious QR Code in an email message attachment.
-
-
How it works
When a phishing attack scenario is identified, Mimecast scans the URL associated with the QR code and makes a determination in line with your URL Protect Policy and Definition settings, rejecting or holding the message if found to be a threat. Mimecast does not remove/strip the QR Code from the message.
Email Message Body
Deep scanning of QR Code URLs to provide reliable, accurate decisions on potential malicious QR Code images embedded within the email message body itself.
Attachment Scanning
Mimecast's QR Code scanning protects customers against malicious QR codes within email attachments. Providing an active URL policy is configured; this feature is available for Inbound, Outbound, and Internal.
In addition, Mimecast can also scan and hold emails with any QR code. Mimecast will scan the email body and attachments for the presence of a QR code. This is done via Attachment Management with the following settings:
Mimecast scans attachments for embedded QR codes as part of its advanced URL Protect feature.
- If a QR code is found within an attachment, Mimecast extracts the QR code and analyzes its content.
- If the extracted QR code contains an embedded URL, that URL is extracted, and sent for further scanning and evaluation in accordance with your configured URL Protect policies.
Given that QR codes are very prevalent, our detection via Attachment Management will detect any QR code in email bodies and email attachments. Please be aware this may result in a large number of holds for QR codes. Attachment Management bypasses or attachment management policies without QR code detection are the easiest methods of bypassing holds for QR codes.
We recommend configuring 90% Probability for the QR Code Image Setting to avoid False Positive Detections.
Anti-Spam Layer
Mimecast will now combine the QR Code scanning results from the email message body and thousands of other signals we extract from an email. If the combinations of these signals resemble a QR Code-based phishing campaign, we’ll increase the email's spam score.
The higher our confidence is in detecting a particular QR Code phishing campaign, the higher the spam score will be.
Based on this spam score, the email will be put on User or Admin Hold or Rejected based on the spam scanning policy set by the customer. Mimecast will not remove the QR Code.
Troubleshooting
Bypassing False Positives
You can note the identified URL from the Rejected Messages information and add it to the Managed URLs allow list. Allow up to 30 minutes for the update to take effect. Alternatively, a URL Protect bypass policy scoped from the sender will also allow the false positive message containing the identified QR code to be sent outbound.
Sender-based bypass policies will also bypass all URL scanning of messages configured for that definition for that specified sender(s).
Comments
Please sign in to leave a comment.