Train your users to be more resilient against QR code phishing

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

QR codes are becoming more popular as a convenient way to access information, services, and products. As a result, bad actors are also using QR codes to trick individuals into scanning malicious QR codes that can compromise the individual’s devices, accounts, or data. This increasing trend underscores the critical role of end-users being proactively vigilant to avoid these threats. 

Defender for Office 365 offers comprehensive email security, which includes providing the latest training content about realistic cyber security and social engineering attacks to enable organizations to inform and educate their users. We are thrilled to announce that in partnership with Fortra’s Terranova Security, we have launched two new QR code phishing training modules aimed at educating users against QR code-based phishing attacks.  

Attack Simulation Training is an intelligent phish risk reduction tool that measures behavior change and automates deployment of an integrated security awareness training program across an organization. It is available with Microsoft 365 E5 or Microsoft Defender for Office 365 P2 plan.  


The training modules are:

  • Malicious Printed QR Codes
  • Malicious Digital QR Codes


In both training modules, the characters will encounter QR codes in a workplace setting and will be provided with options to take actions that mimic real-world scenarios. These trainings can help individuals in your organization recognize and be vigilant against QR-code attacks in their professional and personal lives and protect your organizations as a result. These training modules can be assigned to users as part of a phishing simulation campaign or as part of a training only campaign. 

The training modules are available to preview under [Content library] > [Training modules]. 

The QR training modules are only available in English at this time.  

Additional QR Guidance 

For additional QR code guidance through Attack Simulation Training, we also have a global “How-to guide” about recognizing QR code attacks. How-to Guides is designed to provide a lightweight guidance to end users on how to report a phishing message directly through email.  

To create a How-to Guide:  

  • Create a new simulation and then select “How-to Guide” as the technique 

To preview the QR code How-to Guide: 

  • Access [Content library] > [Payloads] 
  • Search " Teaching Guide: How to recognize and report QR phishing messages”   



You can either use the How to Guide directly, or customize the How to Guide, by selecting copy payload, and editing it based on your preferences. 


Additional language support 

We have also updated our language options for the following training modules: Teams Phishing, Understanding App Consent Request, Double Barrel Phishing Attack, and Stegosploit. These trainings are now available in 37 languages, including Arabic, Chinese, French, German, Hindi, Japanese, Portuguese, Russian, Spanish, and more. We hope that this will help your organization reach more of your global workforce and provide them with relevant and engaging security awareness training in their preferred language. 

We hope you enjoy checking out the new training modules and we look forward to your experience and feedback! 

Want to learn more about Attack Simulation Training? 

Get started with the available documentation today and you can read more details about new features in Attack Simulation Training. 

If you would like to participate in a Private Preview for QR code-based simulations using Attack Simulation Training, please join our Customer Connection Program and sign up for the preview slated for CY24Q1 

If you have other questions or feedback about Microsoft Defender for Office 365, engage with the community and Microsoft experts in the Defender for Office 365 forum. 



Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.