SOC251 Investigation | QR Code Phishing (Quishing) Attack Detected | LetsDefend SOC скачать в хорошем качестве

SOC251 Investigation | QR Code Phishing (Quishing) Attack Detected | LetsDefend SOC

In this video, we investigate SOC251 – Quishing Detected (QR Code Phishing) (EventID 214) on the LetsDefend. This alert involves a phishing email impersonating a mandatory MFA security update. Instead of a traditional malicious link, the attacker embedded a QR code that redirected users to a credential harvesting page hosted on IPFS infrastructure. 🔍 Incident Overview An employee received an email titled: “New Years Mandatory Security Update – Implementing Multi Factor Authentication (MFA)” The email contained a QR code. After decoding, the QR code redirected to a known phishing site designed to steal credentials. Malicious infrastructure hosted via ipfs.io Sender spoofed a security-related domain IP reputation confirmed malicious association Email successfully delivered to inbox No confirmed endpoint compromise No internal network connections observed to attacker IPs 🧠 MITRE ATT&CK Techniques Observed Initial Access T1566 – Phishing Credential Access T1556 – Modify Authentication Process Command & Control T1102 – Web Service Defense Evasion T1036 – Masquerading 🚨 Key SOC Considerations QR codes can bypass traditional URL filtering Users may scan codes using personal devices (outside enterprise visibility) IPFS hosting adds infrastructure resilience for attackers Even without evidence of login activity, precautionary password resets are recommended ✅ Final Outcome Verdict: True Positive Phishing email confirmed No endpoint compromise observed No internal access detected Password reset & user awareness recommended 🎯 What You’ll Learn How QR code phishing attacks work Why quishing is harder to detect than traditional phishing How SOC analysts decode and investigate QR payloads Identifying IPFS-based phishing infrastructure Proper containment and scope validation steps 📌 Alert Details Rule: SOC251 – Quishing Detected (QR Code Phishing) Severity: Medium EventID: 214 Category: Exchange / Email Security 🔐 Disclaimer For educational and defensive security purposes only. 📁 My SOC Investigation Portfolio: https://inksec.io 🔗 LinkedIn:   / tate-pannam-8b64b23a3   Currently building toward SOC Analyst L1 role in Melbourne. 100+ documented investigations | CDSA Certified | BTL1 in progress #SOC #LetsDefend #SOC251 #Quishing #QRPhishing #PhishingAttack #EmailSecurity #MFA #BlueTeam #SOCAnalyst #MITREATTACK #CredentialHarvesting #CyberSecurity