LetsDefend SOC251 - Quishing Detected (QR Code Phishing)

Welcome to LetsDefend SOC251 - Quishing Detected (QR Code Phishing). Without wasting too much time, lets get stuck in.

To take ownership of this alert, all we have to do is click on the person icon with the little plus on him. Since a SOC is made up of multiple members it is essential to take ownership of the alert so multiple people don't waste time working on the same alert. There are a lot of alerts so we need all hands on deck!! 

We need to search for the SMTP address we found in the alert breakdown in log analysis.

Let's read the email for a greater understanding of what the user was being asked to do.

Below is evidence Claire clicked the link because she visits the redirection website two minutes after receiving the email.

Re-analyze for more accurate results. This shows us that the IP is suspicious as 6 security vendors flagged it as malicious.

The user Claire was the one who received the email and has to be contained because she clicked the link.

Disclaimer, I got the last answer wrong because since email requests you to scan the QR code on your host machine or even your phone I assumed it is more interested in the victim device. However, it is fishing for information.

*Investigation took time because of taking snips and documenting the blog.