Researchers at Fortinet warn that a phishing campaign is impersonating the Chinese Ministry of Finance. The phishing emails contain a document with a QR code that leads to a credential-harvesting site.

“A QR code requires an application to read and translate it into something actionable,” the researchers write. “Most mobile phones have this functionality through their camera, and software packages are available on all major platforms to do this from a computer. In each of the examples FortiGuard Labs found, the QR code contained in the Microsoft Word attachments provided a URL for the user to follow. When the user does this using their desktop platform or mobile device, they arrive at a website controlled by the threat actor.”

The QR code leads to a phony version of the Chinese business communication app DingTalk.

“It is a spoofed facsimile of a DingTalk instance (it should be noted that as of the publication date, this site is now offline),” Fortinet says. “DingTalk is a broadly used enterprise communication platform developed by Alibaba Group. Given the reach of the platform and its large number of users, credentials for it would be valuable. The user is directed to a pop-up message box that suggests their DingTalk account has committed some unspecified business violation(s) and that it will be frozen without verification in 24 hours. After acknowledging the message box, the user is invited to enter their credentials to address the issue.”

Fortinet concludes that users can avoid falling for these attacks by following security best practices.

“These attacks will undoubtedly be prevalent for some time,” the researchers write. “Users are cautioned to verify emails, not open attachments or links, and never enter credentials into a site they have not seen before. Rather than using a received link, users are encouraged to go to the known main site of the vendor to conduct any business. Users can also hover over a link to look for an unusual URL. Organizations are also encouraged to provide training to users to help them identify and avoid malicious email attachments and links.”