Attackers are using Iran conflict-themed emergency alerts to trick targets into scanning QR codes and entering Microsoft credentials on a fake login page. The emails impersonate government authorities, mark the warning “SEVERE / ACTIVE,” and dangle supposed shelter and evacuation instructions to push people into acting fast.
According to a Monday blog by researchers at Cofense, the email used the subject line “Public Safety Advisory – Action Recommended” and came from a sender at a domain unrelated to any government agency. After a victim scans the QR code, the flow moves first to a “human verification” page and then to a Microsoft-branded credential-harvesting page designed to look familiar and legitimate.
The campaign matters less for its technical novelty than for how cleanly it combines three tactics that keep working: fear, authority and convenience. The attackers lean on a real-world crisis, hide the malicious destination behind a QR code and then use a recognizable Microsoft login screen to close the deal. That makes the campaign a useful reminder that “quishing” lures are not just consumer scams; they are increasingly built to capture enterprise credentials too.
Cofense published several indicators tied to the campaign, including sharedfilescorps[.]com infrastructure and a wivoumea[.]ru URL used in later stages. Cofense recommends blocking the listed infrastructure, treat unsolicited QR-code instructions as suspicious, and verify any emergency notice through an official government site or known channel rather than through an email prompt.
Image Courtesy of Cofense
