Cyber Threats #quishing#QR code#phishing

QR Code Phishing (Quishing): The Growing Threat You Can't Ignore

Understand quishing attacks that use QR codes to bypass email security, how to spot malicious QR codes, and how to protect yourself.

6 min read

Quishing (QR code phishing) is a rapidly growing attack technique that embeds malicious URLs in QR codes within emails, documents, or physical media. The attack circumvents email security solutions that analyze text-based URLs but cannot read QR codes as images — and delivers victims to credential harvesting pages through their mobile phones, which typically have weaker security controls.

Why QR Code Attacks Work

Bypassing Email Security

Traditional email security gateways analyze text-based links, extract URLs, and check them against threat intelligence feeds. A QR code is an image — the URL is encoded as a visual pattern that email security tools typically cannot decode and analyze.

An attacker can send a phishing email with no clickable text links — just a QR code image containing a malicious URL. Many corporate email security solutions (Proofpoint, Mimecast, Microsoft Defender for Office 365) miss these entirely unless specifically configured for QR code analysis.

Mobile as the Attack Surface

When a victim scans the QR code with their smartphone:

  • Mobile browsers have smaller address bars — harder to notice subtle URL manipulation
  • Mobile endpoint protection is weaker than corporate desktop EDR
  • Workers scan QR codes on their personal phones, bypassing corporate network controls
  • Mobile MFA prompts may appear immediately after a fake login, enabling real-time interception

How Quishing Attacks Are Constructed

Impersonation Themes

Common pretexts for QR code emails:

  • Multi-factor authentication enrollment: “Your Microsoft authenticator needs to be re-enrolled. Scan the QR code below.”
  • DocuSign/signature required: “A document is waiting for your signature. Scan to view and sign.”
  • Parcel delivery: “Scan to reschedule your delivery.” (also used in physical quishing via fake package slips)
  • Parking fine: Physical QR codes on fake parking tickets in high-traffic areas

Legitimate Service Abuse

Attackers host phishing pages on legitimate services to avoid URL reputation blocking:

  • Bing.com redirects with URL parameters pointing to malicious sites
  • SharePoint/OneDrive for malicious files
  • Azure Blob storage for phishing pages
  • Google Forms as data collection for credentials

Using trusted domains (microsoft.com, google.com, bing.com) in the redirect chain makes URL reputation filtering ineffective.

Real-World Examples

Microsoft credential harvesting campaign (2023): Millions of emails with QR codes pointing to spoofed Microsoft 365 login pages — directed to the recipient’s corporate email domain to appear legitimate.

Executive-targeted quishing: Highly targeted attacks against C-suite executives with personalized content, using QR codes because executives are more likely to use mobile devices.

Physical quishing at EV charging stations: Fake QR code stickers placed over legitimate charger payment codes — redirected to payment credential harvesting pages.

Detection and Defense

For Individuals

Preview before visiting: Long-press a QR code in iOS/Android to preview the URL before opening it. Most native QR code readers show the destination URL before navigation.

Verify the destination URL:

  • Look for subtle typosquatting: micros0ft.com, rnycompany.com (rn = m)
  • Check for unexpected domains: A QR code claiming to be DocuSign should lead to docusign.com, not random domains
  • Watch for redirect chains through trusted services before reaching the actual phishing page

Use an authenticator app, not QR-enrolled codes, for MFA: Organizations should pre-enroll MFA through secure channels — be suspicious of any email requesting QR code MFA enrollment.

For Organizations

Enable QR code analysis in email security:

  • Microsoft Defender for Office 365 has QR code URL extraction (enable in Safe Links policies)
  • Proofpoint and other gateways offer QR code phishing detection — verify it’s enabled in your policy

User awareness training: Specifically train on quishing — it’s newer than traditional phishing and most employees haven’t encountered security training on it. Include physical QR code risks (parking lots, conference materials, restaurant tables).

Mobile Device Management (MDM): Enforce mobile endpoint protection that can scan URLs before navigation.

Verify QR enrollment requests out-of-band: Any internal email requesting employees to scan a QR code for authentication or enrollment should trigger a call to IT helpdesk for verification — never complete MFA enrollment from an unsolicited email.

Physical QR Codes

Inspect before scanning:

  • Look for sticker placed over an original QR code (slight elevation, adhesive edges visible)
  • If a payment QR code looks recently added or tampered, pay at the counter instead
  • Report suspicious QR codes in public locations to the venue

The quishing threat will continue growing as email security tools adapt to filter text-based phishing more effectively. The asymmetry — QR codes easy to generate, hard to inspect — makes them an attractive evasion technique. URL preview before navigation and organizational-level QR code analysis are the primary defenses.

#mobile threats #email security #phishing #QR code #quishing

// related articles

cyber-threats Business Email Compromise (BEC): How Attacks Work and Defense Guide 7 min read cyber-threats Browser-in-the-Browser Phishing: Fake SSO Popups 7 min read cyber-threats Typosquatting Attacks: How Hackers Exploit Misspellings 7 min read