QR Phishing with MDO

Tue Nov 07, 23 | MDO | Security

Previsouly, I wrote about QR Phishing and the many challenges it poses to current cyber awareness training, and defensive tools. As this is a growing trend it is important for companies to incorporate this type of phishing method into existing cyber training and awareness. Specifically, this post will detail how to use Microsoft Defender for Office to generate a QR Phishing campaign.

Similar Posts

While writing this post I was made aware of another post on the same topic by one of the Microsoft Defender for Office PMs. I would encourage you to check out Cam’s post and the QR code project he published if you are looking for ways to implement this in your organization.

Custom Payload

Currently, QR Phishing payloads are not available in MDO but MDO does allow for custom payload creation so it is still possible but a little more complex.

Don’t waste time

  1. You can’t generate the QR Code before the campaign and put it in the payload, it must be dynamically generated.
  2. The payload message accepts HTML, but will strip out Javascript which is really sad because this Javascript QR Code generation library is super easy to use.
  3. There are several QR Code generation projects on GitHub, and QRCoder is what I used for the example below.

MS Subscription Email

Rather than using one of the existing payloads I chose to use a legitimate subscription email I had and modify it. The benefit is that I could add and test the QR Code creation process in my browser without having to do a lot of iteration through Attack Sim. This ended up paying off because I did everything in the Don’t waste time section, which consumed a lot of time. However, it is really up to you to decide how custom you want to go.

subscription email

This is the legitimate subscription email I used and I modified it to remove some of the account specific details, but still seem reasonable.

phishing email

You can see the HTML version of this here or download just the custom payload portion here.

Dynamic QR Code Service

When the phishing simulation executes, along with using the phishing URL of your choice a string of dynamic data is also added, thus you cannot pre-create the QR Code.

Note: My initial intent was to use qrcode.js, but I discovered that the Attack Simulation Payload creation form removed <script ... tags and even trying to do things like < script ... to dodge the parsing failed.

I found QRCoder which is a .NET project that allows for dynamic creation of the QR Code. Pulling a few classes AbstractQrCode, PngByteQrCode, QrCodeData, and QrCodeGenerator were sufficient to build a basic web service that could accept the dynamic url and generate the QR code.

Completed Payload

After pushing the service and creating the custom payload you are now ready to move forward with QR Phishing Simulation.

Attack Sim Content Library Tenant Payload

Attack Simulation

Next create an attack simulation using your custom payload.

select custom payload

Because this uses Microsoft branding and subscription related phishing attack select a Microsoft Login page as the landing page as well.

select microsoft login landing page

Now complete and run your simulation.


Once the simulation runs the phishing email appears in the users inbox.

attack sim phishing email

Looks very believable and has just enough sense of urgency for the user to quickly scan and log in.

phishing login screen

Once the login is complete we see the page alerting the user about the sucessful phishing action.

phishing fail

Finally, the appropriate training email is sent to the user.

phishing training assigned