{"id":10551,"date":"2025-10-10T13:29:12","date_gmt":"2025-10-10T06:29:12","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10551"},"modified":"2026-02-05T13:29:19","modified_gmt":"2026-02-05T06:29:19","slug":"chien-dich-quishing-nham-vao-nguoi-dung-microsoft-phat-tan-ma-doc-qua-qr-code","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/10\/chien-dich-quishing-nham-vao-nguoi-dung-microsoft-phat-tan-ma-doc-qua-qr-code\/","title":{"rendered":"Chi\u1ebfn d\u1ecbch Quishing nh\u1eafm v\u00e0o ng\u01b0\u1eddi d\u00f9ng Microsoft, ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c qua QR code"},"content":{"rendered":"

M\u1ed9t chi\u1ebfn d\u1ecbch l\u1eeba \u0111\u1ea3o m\u1edbi \u0111ang \u1ea9n m\u00ecnh sau nh\u1eefng m\u00e3 QR \u201ctr\u00f4ng c\u00f3 v\u1ebb h\u1ee3p ph\u00e1p\u201d \u0111\u01b0\u1ee3c g\u1eedi t\u1eeb Microsoft. B\u1eaft \u0111\u1ea7u b\u00f9ng ph\u00e1t t\u1eeb \u0111\u1ea7u th\u00e1ng 10\/2025, chi\u1ebfn d\u1ecbch n\u00e0y l\u1ee3i d\u1ee5ng email gi\u1ea3 m\u1ea1o Teams, Office 365 v\u00e0 Authenticator \u0111\u1ec3 d\u1ee5 ng\u01b0\u1eddi d\u00f9ng qu\u00e9t m\u00e3 \u201ck\u00edch ho\u1ea1t b\u1ea3o m\u1eadt\u201d ho\u1eb7c \u201cs\u1eeda l\u1ed7i t\u00e0i kho\u1ea3n\u201d. Ch\u1ec9 m\u1ed9t c\u00fa qu\u00e9t \u0111\u01a1n gi\u1ea3n, ng\u01b0\u1eddi d\u00f9ng \u0111\u00e3 v\u00f4 t\u00ecnh m\u1edf c\u1eeda cho ph\u1ea7n m\u1ec1m gi\u00e1n \u0111i\u1ec7p x\u00e2m nh\u1eadp thi\u1ebft b\u1ecb c\u1ee7a m\u00ecnh.<\/b><\/p>\n

\"1760083285941.png\"<\/a>\u200b<\/div>\n

Do c\u00e1c th\u00f4ng b\u00e1o n\u00e0y tr\u00f4ng gi\u1ed1ng h\u1ec7t th\u01b0 th\u1eadt c\u1ee7a Microsoft, nhi\u1ec1u ng\u01b0\u1eddi d\u00f9ng m\u1ea5t c\u1ea3nh gi\u00e1c v\u00e0 l\u00e0m theo h\u01b0\u1edbng d\u1eabn, t\u1eeb \u0111\u00f3 b\u1ecb d\u1eabn \u0111\u1ebfn trang web \u0111\u1ed9c h\u1ea1i ch\u1ee9a m\u00e3 \u0111\u1ed9c \u0111\u00e1nh c\u1eafp th\u00f4ng tin.<\/p>\n

C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u t\u1ea1i Gen Threat Labs ph\u00e1t hi\u1ec7n chi\u1ebfn d\u1ecbch sau khi th\u1ea5y nhi\u1ec1u email gi\u1ea3 m\u1ea1o mang nh\u00e3n Microsoft xu\u1ea5t hi\u1ec7n trong m\u00f4i tr\u01b0\u1eddng doanh nghi\u1ec7p. M\u1ee5c ti\u00eau ch\u00ednh l\u00e0 ng\u01b0\u1eddi d\u00f9ng Office 365\/Teams v\u00e0 nh\u1eefng t\u1ed5 ch\u1ee9c khuy\u1ebfn kh\u00edch d\u00f9ng QR \u0111\u1ec3 x\u00e1c th\u1ef1c \u0111a y\u1ebfu t\u1ed1. K\u1ebb t\u1ea5n c\u00f4ng l\u1ee3i d\u1ee5ng ni\u1ec1m tin v\u00e0o logo\/\u0111\u1ecbnh d\u1ea1ng email, \u0111\u1ed3ng th\u1eddi d\u00f9ng h\u1ea1 t\u1ea7ng b\u1ecb x\u00e2m ph\u1ea1m (v\u00ed d\u1ee5 m\u1ed9t node Azure CDN b\u1ecb chi\u1ebfm) \u0111\u1ec3 ph\u00e2n ph\u1ed1i m\u00e3 \u0111\u1ed9c.<\/p>\n

K\u1ecbch b\u1ea3n t\u1ea5n c\u00f4ng c\u01a1 b\u1ea3n l\u00e0 n\u1ea1n nh\u00e2n nh\u1eadn email c\u00f3 QR, qu\u00e9t b\u1eb1ng \u0111i\u1ec7n tho\u1ea1i; QR tr\u1ea3 v\u1ec1 m\u1ed9t URL r\u00fat g\u1ecdn, URL n\u00e0y chuy\u1ec3n ti\u1ebfp qua m\u1ed9t script ki\u1ec3m tra m\u00f4i tr\u01b0\u1eddng. Script ki\u1ec3m tra nhi\u1ec1u ch\u1ec9 b\u00e1o (ng\u00f4n ng\u1eef h\u1ec7 th\u1ed1ng, phi\u00ean b\u1ea3n Defender, sandbox) \u0111\u1ec3 tr\u00e1nh m\u00e1y \u1ea3o hay ph\u00e2n t\u00edch t\u1ef1 \u0111\u1ed9ng. N\u1ebfu \u201cs\u1ea1ch\u201d, h\u1ec7 th\u1ed1ng t\u1ea3i xu\u1ed1ng m\u1ed9t ch\u01b0\u01a1ng tr\u00ecnh infostealer \u0111\u00f3ng g\u00f3i (Packaged Infostealer) v\u00e0 t\u1ea1o persistence b\u1eb1ng m\u1ed9t t\u00e1c v\u1ee5 \u0111\u1ecbnh l\u1ecbch (scheduled task) t\u00ean \u201cMSAuthSync\u201d. \u0110i\u1ec1u n\u00e0y gi\u00fap ch\u01b0\u01a1ng tr\u00ecnh ch\u1ea1y l\u1ea1i khi ng\u01b0\u1eddi d\u00f9ng \u0111\u0103ng nh\u1eadp, thu th\u1eadp m\u1eadt kh\u1ea9u, cookie, th\u00f4ng tin host v\u00e0 g\u1eedi v\u1ec1 m\u00e1y ch\u1ee7 t\u1ea5n c\u00f4ng qua HTTPS.<\/p>\n

\u0110i\u1ec3m s\u00e1ng t\u1ea1o nguy hi\u1ec3m c\u1ee7a chi\u1ebfn d\u1ecbch l\u00e0 k\u1ef9 thu\u1eadt n\u00e9 ki\u1ec3m duy\u1ec7t QR, thay v\u00ec m\u1ed9t \u1ea3nh QR duy nh\u1ea5t, k\u1ebb t\u1ea5n c\u00f4ng t\u00e1ch m\u00e3 th\u00e0nh hai l\u1edbp \u1ea3nh ch\u1ed3ng l\u00ean nhau trong PDF. Ph\u1ea7n m\u1ec1m qu\u00e9t QR th\u00f4ng th\u01b0\u1eddng ho\u1eb7c gi\u1ea3i m\u00e3 t\u0129nh s\u1ebd b\u1ecf qua ho\u1eb7c b\u1ecb nhi\u1ec5u do m\u00e0u s\u1eafc\/\u0111\u1ecbnh d\u1ea1ng l\u1ea1; m\u00e3 \u0111\u1ed9c s\u1eed d\u1ee5ng m\u1ed9t tr\u00ecnh ph\u00e2n t\u00edch t\u00f9y ch\u1ec9nh \u0111\u1ec3 gh\u00e9p hai l\u1edbp l\u1ea1i (v\u00ed d\u1ee5 ch\u1ecdn pixel s\u00e1ng h\u01a1n gi\u1eefa hai l\u1edbp) r\u1ed3i gi\u1ea3i m\u00e3 chu\u1ed7i URL \u1ea9n. \u0110\u00e2y l\u00e0 m\u1ed9t d\u1ea1ng \u201cm\u00e3 v\u1ea1ch v\u0169 kh\u00ed h\u00f3a\u201d gi\u00fap qua m\u1eaft h\u1ec7 th\u1ed1ng ch\u1ed1ng virus v\u00e0 ki\u1ec3m duy\u1ec7t t\u1ef1 \u0111\u1ed9ng.<\/p>\n

Chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng v\u1eeba l\u1ea5y \u0111\u01b0\u1ee3c m\u1eadt kh\u1ea9u v\u1eeba d\u00f9ng m\u00e3 \u0111\u1ed9c \u0111\u1ec3 thu th\u1eadp telemetries, t\u1ea1o ti\u1ec1n \u0111\u1ec1 cho t\u1ea5n c\u00f4ng s\u00e2u h\u01a1n (lateral movement) trong m\u00f4i tr\u01b0\u1eddng doanh nghi\u1ec7p. V\u00ec l\u1eeba \u0111\u1ea3o m\u01b0\u1ee3n danh Microsoft v\u00e0 d\u1ef1a v\u00e0o QR n\u00ean t\u1ef7 l\u1ec7 th\u00e0nh c\u00f4ng c\u00f3 th\u1ec3 cao, \u0111\u1eb7c bi\u1ec7t v\u1edbi ng\u01b0\u1eddi d\u00f9ng thi\u1ebfu c\u1ea3nh gi\u00e1c. Kh\u1ea3 n\u0103ng script ki\u1ec3m tra m\u00f4i tr\u01b0\u1eddng c\u0169ng khi\u1ebfn vi\u1ec7c ph\u00e1t hi\u1ec7n s\u1edbm tr\u1edf n\u00ean kh\u00f3 kh\u0103n.<\/p>\n

QR kh\u00f4ng an to\u00e0n h\u01a1n URL theo b\u1ea3n ch\u1ea5t; n\u00f3 ch\u1ec9 l\u00e0 tr\u00ecnh b\u00e0y kh\u00e1c. Khi t\u1ed5 ch\u1ee9c khuy\u1ebfn kh\u00edch d\u00f9ng QR cho MFA, c\u1ea7n c\u00e2n nh\u1eafc r\u1ee7i ro \u0111i k\u00e8m (qu\u00e9t m\u00e3 l\u1ea1 b\u1eb1ng thi\u1ebft b\u1ecb c\u00e1 nh\u00e2n). H\u1ea1 t\u1ea7ng CDN ho\u1eb7c d\u1ecbch v\u1ee5 b\u00ean th\u1ee9 ba b\u1ecb chi\u1ebfm c\u0169ng l\u00e0 \u0111i\u1ec3m y\u1ebfu: email mang logo h\u1ee3p ph\u00e1p nh\u01b0ng link d\u1eabn t\u1edbi t\u00e0i nguy\u00ean b\u1ecb x\u00e2m ph\u1ea1m c\u00f3 th\u1ec3 l\u1eeba \u0111\u01b0\u1ee3c nhi\u1ec1u ng\u01b0\u1eddi.<\/p>\n

C\u00e1c chuy\u00ean gia an ninh m\u1ea1ng khuy\u1ebfn c\u00e1o ng\u01b0\u1eddi d\u00f9ng:<\/p>\n