09 March, 2026
The CPX Threat Intel team (FalconWatch) has identified a large-scale QR‑code phishing (“quishing”) campaign targeting multiple organizations and sectors. The activity is characterized by highly repeatable URL construction, business‑themed lures, and infrastructure consistent with phishing‑as‑a‑service (PhaaS) operations.
The campaign leverages QR codes embedded in email attachments to redirect victims to fake Microsoft 365 authentication portals, where credentials and authenticated sessions are harvested.
Figure 1: QR-code in email attachment
Evidence indicates the reuse of standardized phishing templates, automated victim tracking, and Cloudflare‑fronted infrastructure designed to evade traditional defenses and hinder sandbox analysis.
Figure 2: Sample 1: Credential harvesting page
Figure 3: Sample 2: Credential harvesting page
The campaign is assessed to be operated via the FlowerStorm phishing‑as‑a‑service (PhaaS) platform, which provides built‑in Adversary‑in‑the‑Middle (AiTM) capabilities. This enables attackers to intercept authentication sessions in real time, capture credentials, and bypass multi‑factor authentication (MFA), resulting in persistent account compromise across affected tenants.
The campaign relies on business‑plausible, high‑urgency themes designed to trigger fast action. Apart from the usual lures applied in the email body and subject, the analysis of subdomains shows a clear pattern of same enterprise‑process impersonation, where attackers deliberately use terms associated with Microsoft 365 services, HR and payroll workflows, document sharing, security, and internal administration.
These subdomains often use long concatenated phrases, generic internal‑system naming, and intentional misspellings, which both mimic real SaaS or vendor portals and help evade simple keyword or brand‑based detection.
Psychologically, they exploit employee expectations that such actions are normal business tasks, reducing suspicion and increasing click‑through rates, while operationally allowing attackers to reuse the same naming conventions across many domains to scale campaigns and blend malicious infrastructure into everyday enterprise web traffic.
Phishing URL construction pattern
Across multiple domains, CPX observed a canonical phishing URL structure:
|
https://<lure_subdomain>.<domain>.<tld>/<5‑character token>/?e=<victim_email> |
High‑signal indicators
This repeatability strongly indicates campaign automation, rather than bespoke phishing pages per target.
Campaign automation and tracking
By keeping the landing page constant and varying only the ?e= parameter, operators can:
This operational model aligns with known PhaaS ecosystems targeting Microsoft 365 environments. The CPX Threat Intel team assesses with moderate to high confidence that this activity is either FlowerStorm‑based or operated by a closely related PhaaS ecosystem reusing similar tooling.
Microsoft Defender hunting for QR-code derived URLs
|
1 // Look for QR-code sourced URLs containing the distinct ?e= pattern 2 EmailUrlInfo 3 | where UrlLocation == "QRCode" 4 | where Url has "?e=" 5 | where Url matches regex @"\/[A-Za-z0-9]{5}\/\?e=" |
These controls directly reduce exposure to QR‑based AiTM phishing campaigns.
The following domains were identified as active infrastructure associated with this campaign.
|
Type |
Value |
|
Domain |
onedrivesalaryassessment[.]digitaltrustbase[.]de |
|
Domain |
work[.]dim[.]com[.]de |
|
Domain |
workorder[.]dim[.]com[.]de |
|
Domain |
secure[.]directandclear[.]de |
|
Domain |
agrreeementt[.]powerfulpresence[.]de |
|
Domain |
secure[.]innovativewege[.]de |
|
Domain |
reviewed[.]innovativewege[.]de |
|
Domain |
login[.]whisperingwater[.]de |
|
Domain |
welahaavagcafghj[.]interfaceswithmeaning[.]de |
|
Domain |
staff__update__2026_[.]clarityfirstdigital[.]de |
|
Domain |
m365fileshare[.]hourlychimes[.]de |
|
Domain |
lordhelpme[.]directandclear[.]de |
|
Domain |
___staff_update_2026_[.]clarityfirstdigital[.]de |
|
Domain |
aqusjf[.]simplelayout[.]de |
|
Domain |
staff_update_2026[.]efficiencystrength[.]de |
|
Domain |
depthumanresources[.]notebooksanddreams[.]de |
|
Domain |
__staff_update[.]clarityfirstdigital[.]de |
|
Domain |
adobe[.]notebooksanddreams[.]de |
|
Domain |
mail[.]whispersofhope[.]de |
|
Domain |
humandeptnotifications[.]notebooksanddreams[.]de |
|
Domain |
secured[.]innovativewege[.]de |
|
Domain |
review[.]innovativewege[.]de |
|
Domain |
hajasshshsushshmmm365docpdf[.]professionalidentityhub[.]de |
|
Domain |
humaneresourcesbenefit[.]notebooksanddreams[.]de |
|
Domain |
officemahost[.]tuesdays[.]com[.]de |
|
Domain |
outlookonline[.]bagsoffernweh[.]de |
|
Domain |
humanresourcesnotification[.]notebooksanddreams[.]de |
|
Domain |
hrdepartiment[.]notebooksanddreams[.]de |
|
Domain |
readyaccess[.]morningraindrops[.]de |
|
Domain |
drives[.]whisperingwater[.]de |
|
Domain |
enrolls[.]whisperingwater[.]de |
|
Domain |
humanresourcesdepartment[.]notebooksanddreams[.]de |
|
Domain |
staff_update_2026[.]clarityfirstdigital[.]de |
|
Domain |
othersystemdoc[.]flickered[.]com[.]de |
|
Domain |
booksss[.]federaltechlaw[.]co[.]uk |
|
Domain |
count[.]innovativewege[.]de |
|
Domain |
yaoff[.]hourclock[.]de |
|
Domain |
meetingapprovedinvitaiondeadline[.]breathingnight[.]de |
|
Domain |
auth[.]bagsoffernweh[.]de |
|
Domain |
staff_changes_for_2026[.]clarityfirstdigital[.]de |
|
Domain |
drive[.]whisperingwater[.]de |
|
Domain |
addoc-click[.]securecommonoauth2v20authorize[.]com |
|
Domain |
office[.]whisperingwater[.]de |
|
Domain |
hr_adjustment_records[.]clarityfirstdigital[.]de |
|
Domain |
payrollfeedback[.]digitaltrustbase[.]de |
|
Domain |
safesitte[.]innovativewege[.]de |
|
Domain |
faxfileshareddocxofflcedocuments[.]barebonesweb[.]de |
|
Domain |
hr_adjustment_record[.]clarityfirstdigital[.]de |
Our team continuously tracks emerging phishing, credential theft, and adversary infrastructure trends affecting enterprise environments. This blog is intended to support detection engineering, incident response, and strategic risk reduction.
07 March, 2026
Evolving cyber threat landscape amid Middle East tensions
Read now
27 February, 2026
Moltbook: The rise of agent native AI and a new class of threats
Read now
20 February, 2026
Uncovering the Chinese APT Group .Net Malware Payload – Part 2
Read now
19 February, 2026
Uncovering the Chinese APT Group .Net Malware Payload – Part 1
Read now
12 February, 2026
Enabling visibility and monitoring for ICS networks: Fortifying c...
Read now
10 February, 2026
How to secure your Microsoft Exchange Hybrid Environment for 2026
Read now
10 February, 2026
How AI empowers Zero Trust Architecture in network security
Read now
14 January, 2026
Ivanti Connect Secure Forensics (Part 3): Integrity Checker Tool ...
Read now
13 January, 2026
Ivanti Connect Secure Forensics (Part 2): GRUB-based LUKS Decrypt...
Read now
09 January, 2026
Ivanti Connect Secure Incident Response Investigation: From explo...
Read now
26 December, 2025
Zero Trust Architecture: Principles, challenges, and best practices
Read now
08 December, 2025
AI-powered OT cybersecurity: Securing critical infrastructure
Read now
08 December, 2025
AI agents are scaling operations — is risk management ready?
Read now
20 November, 2025
Unmasking a Modern Cyber Assault: Lessons from the Anthropic attack
Read now
02 October, 2025
Filtering the noise: A smarter approach to SCADA security
Read now
18 August, 2025
Detection Engineering Validation: Proven detections for modern SOCs
Read now
30 June, 2025
AI-driven cyber attacks: The rising threat in cybersecurity
Read now
29 May, 2025
How AI copilots in cybersecurity are redefining threat intelligence
Read now
10 April, 2025
Strengthening Azure DevSecOps: Closing gaps with third-party enha...
Read now
28 March, 2025
Oracle Cloud incident: Analyzing the breach and its impact
Read now
08 March, 2024
Enhancing physical security through CPS integration
Read now
20 July, 2023
Understanding Insecure Deserialization
Read now
©CPX 2026. All rights reserved. Privacy policy | Terms of use
