Attackers targeted a major US energy company with a phishing campaign that overall sent more than 1,000 emails armed with malicious QR codes aimed at stealing Microsoft credentials.

The campaign, discovered by Cofense in May, used both PNG image attachments and redirect links associated with Microsoft Bing and well-known business applications — including Salesforce and CloudFlare’s Web3 services — with embedded QR codes, the researchers revealed in a post published today.

The messages used lures aimed at fostering a sense of urgency, spoofing Microsoft security alerts and claiming that recipients were required to update their account’s security settings associated with two-factor authentication (2FA) and multi-factor authentication (MFA), among others. The images and links included within the messages ultimately sent victims to a Microsoft credential phishing page.