Lately, my organization has been dealing with QR Codes embedded in Word documents arriving via email. Initially, these emails were coming from within our users' mailboxes, which we managed to stop by disabling direct send in O365. However, we've now started receiving similar emails from external senders. While the SHA values and document names vary, the email format remains consistent. Our DMARC and SPF settings are correctly passing, and the domains are not on any bad lists. I reported this as a false negative to Mimecast on Monday, but we're still facing issues. I'm looking for reliable methods to stop these QR Codes altogether, and I'm open to solutions within O365 as well.
3 Answers
Make sure to enable URL protection in Mimecast, as it helps analyze QR codes that might direct to malicious sites. Additionally, continue to report these emails to Mimecast and consider reaching out to their support team for further assistance. Aside from blocking DOCX attachments, you might not have too many options for content analysis. Also, using Advanced Hunting in Microsoft Defender for 365 could help monitor any URLs from QR codes and notify your team when it detects them, keeping you on top of the situation.
We've been struggling with Mimecast too; it feels like things have deteriorated over the past year. I'm interested to see if others are experiencing an uptick in unwanted emails despite having all the recommended security settings activated.
I've just taken over this environment, and while it's simpler than Proofpoint, I'm starting to see why some prefer it. Proofpoint definitely seems more robust.
Consider blocking or holding those QR codes directly in Mimecast. They provide good guidance on how to do this, which can prevent future issues.
I found that knowledge base article and implemented those steps. It'll at least help reduce the flow until I get more information from support.
I've just taken over this setup and have been waiting for feedback from Mimecast. I turned on URL protection sandboxing, and it seems to be improving the situation a bit with my initial testing.