top of page

Sophisticated QR-based fresh phishing bait

A new phishing email, purported to be from Microsoft and containing a QR code rather than the traditional phishing links, has been successfully delivered to mailboxes recently.

Recipients were encouraged to “authenticate themselves” within 2 days by scanning the code on a smartphone.

Cyber security specialists have analysed the QR code and the domain linked by the code and have discovered that a hugely sophisticated credential harvesting process commences when scanned.

Having utilised a desktop-based QR code reader, the cyber specialists were able to investigate where the code would direct a user. The user is taken to a version of a login page of Microsoft's forward-facing web pages.

The actors replicated images and even the correct IT service desk phone numbers around the login pane. The only tell-tale sign that the page could be malicious is the URL pane at the top of the page.

Upon entering a password, the user is redirected through various webpages that are almost like-for-like renders of those on genuine Microsoft domains, even allowing the user to click on information and see genuine rendered Microsoft adverts.

Selecting the “Forgot my password” option also takes users to a convincing password reset page, complete with a Captcha section.

The level of detail and sophistication in relation to the rendering of images from an organisation and the mimicking of Microsoft pages is high, and the use of a QR code, coupled with these tactics, increases the chances that a campaign will succeed.

Remediation & Mitigation

After analysing the number of these emails, organisations are advised to block traffic to and from the domain china-goldlink[.]com and to spread awareness of QR codes as an attack vector to all personnel.

At the time of writing, the webpages appear to have been taken offline. However, they are expected to be rotated as per phishing tactics.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page