Cushing mail image. /Courtesy of East Security Blog

A phishing mail impersonating Microsoft (MS) multi-factor authentication (MFA) is being circulated, so users need to be vigilant.

According to the information and communication technology (ICT) industry on the 16th, East Security reported that a phishing method is spreading that lures users to access a phishing site by scanning a QR code with their smartphones. The phishing mail discovered this time is being distributed under the title 'Ticket# QQL0ISI - MFA | 09 July, 2025.'

According to East Security, the mail prompts users to scan a QR code to connect to Microsoft 365 services, as the multi-factor authentication for the recipient's email account is about to expire. When the user scans the QR code in the email, they are directed to a phishing site created by the attacker, which shows a CAPTCHA authentication screen in the process, misleading the user into thinking they are on a legitimate site.

After proceeding with the CAPTCHA authentication, the user is redirected to a phishing page disguised as the Microsoft account login page, which lures them to enter their account password. When the user, mistaking it for a legitimate login page, inputs their password, a message indicating that the password is incorrect is displayed, prompting the user to try again. When the user re-enters their password, the account is temporarily locked, showing a fake message to try again later, according to East Security.

East Security explained that attackers used obfuscated code to avoid analysis of the phishing page, and this code performs various evasion functions such as blocking automated tools or specific key inputs.

※ This article has been translated by AI. Share your feedback here.