Uvic Mandatory Multi-factor Authenticator

While it’s true that we are requiring everyone to enrol in UVic MFA, this email is not legitimate and is a case of quishing (QR code phishing). Here are the signs that this email is fraudulent and the QR code is not safe to scan:

  • Although the sender name mentions UVic, the email actually came from an external email address.
  • UVic is capitalized incorrectly and there are some wording errors in the message.
  • The email instills a sense of urgency by threatening expiry within a very short period of time, which is an attempt to trick you into acting hastily. Genuine emails of this nature will usually give you multiple notices well in advance of the deadline.
  • The email contains a QR code. Legitimate QR codes for MFA setup will never be sent by email. If a QR code is in an email, it’s usually because the scammer is using it to disguise a malicious link.

First half of MFA-themed quishing email - includes external sender and urgent language

Second half of MFA-themed quishing email - contains a malicious QR code that should not be scanned

From: Noreply_Uvic <greatfoob@grumpy******.ca>
Subject: Uvic Mandatory Multi-factor Authenticator
This message was sent with high importance.

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Microsoft Authenticator icon]

Microsoft 365 sign-in for multi-factor authentication

  • The multi-factor authentication for is set to expire within 24 hours.
  • Scan the barcode below to reauthenticate your multi-factor authentication within 24 hours and stay connected to Microsoft 365 apps and services.

[Malicious QR code]

Contact Microsoft help desk if you have any questions.

This email was sent from an unmonitored mailbox.
You are receiving this email because you have subscribed to Microsoft Office 365.
Privacy Statement
Microsoft Corporation, One Microsoft Way, WA 98052 USA
Microsoft

STATEMENT OF CONFIDENTIALITY The information contained in this email message and any attachments may be confidential and legally privileged and is intended for the use of the addressee(s) only. If you are not an intended recipient, please (1) notify me immediately by replying to this message; (2) do not use, disseminate, distribute or reproduce any part of the message or any attachment; and (3) destroy all copies of