Technical Tip: FortiMail QR code URL scan is not identifying phishing emails

Description

This article describes a scenario where FortiMail's QR Code URL Scan feature is not identifying phishing emails that contain malicious QR codes as HTML character on body of emails. The user is experiencing issues with the feature not detecting these types of emails, despite having the QR Code URL Scan option enabled in the security profile.

Scope

FortiMail.

Solution

To mitigate this issue, configure a dictionary profile under Content Monitor and Filtering in the Content Profile. Add the character \u2588 or '█' as a dictionary entry and set the minimum score to around 20. This will allow FortiMail to block emails based on the detection of the QR code pattern.

Go to Content Profile -> Content Monitor and Filtering -> Dictionary Profile.

Add the character as a dictionary entry: (Entry: '█', String: '█').

Set the minimum score to around 20.

Example detection log: Identified by Content Profile; Dictionary: test Score: 20 (Entry: '█', String: '█').

The following is an example of mail:

Note: If FortiMail is still passing through this kind of content even tough above workaround, open a ticket with Fortinet TAC and ask for Support for checking the situation: Technical Tip: How to create a ticket for Fortinet TAC.

Related Articles:
Technical Tip: QR code URL detection