MDO Hunting - Quishing (QR Phishing) and Suspicious Images
MDO 12 Quishing QR Phishing Images
Query
EmailAttachmentInfo
| where Timestamp > ago(7d)
| where FileType in~ ("png","jpg","jpeg","gif","bmp","svg")
| join kind=inner (
EmailEvents
| where EmailDirection == "Inbound"
| where UrlCount <= 1
| where ThreatTypes has "Phish" or DetectionMethods has_any ("Spoof","Impersonation")
| project NetworkMessageId, Subject, SenderFromAddress, RecipientEmailAddress, DeliveryAction
) on NetworkMessageId
| project Timestamp, SenderFromAddress, RecipientEmailAddress, FileName, FileType,
Subject, DeliveryAction
| sort by Timestamp descExplanation
This query is designed to detect a specific type of phishing attack known as "quishing," where QR codes are used to hide malicious URLs within image attachments in emails. Here's a simple breakdown of what the query does:
-
Data Source: It uses data from Microsoft Threat Protection, specifically looking at email attachment information and email events.
-
Time Frame: The query examines emails from the past 7 days.
-
File Types: It focuses on image files, such as PNG, JPG, JPEG, GIF, BMP, and SVG, which are common formats for QR codes.
-
Email Filtering: It filters for inbound emails that have:
- Few or no URLs (1 or fewer).
- Indicators of phishing or impersonation, such as being flagged for phishing threats or detected through spoofing or impersonation methods.
-
Data Joining: It combines information from email attachments and email events based on a common identifier (NetworkMessageId).
-
Output: The query outputs details such as the timestamp, sender's address, recipient's address, file name and type, email subject, and delivery action, sorted by the most recent emails.
-
Purpose: The goal is to identify emails that might be using images to conduct phishing attacks, particularly those that might contain QR codes leading to malicious sites. This helps in early detection and response to potential security threats.
Details

David Alonso
Released: July 17, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques