QR Code Phishing (Quishing)

Timeline: The Cat and Mouse

2020 ← Attack emerges → 2022 ← Explodes → 2023 ← Defenses emerge → Present

The Evolution

Phase	Period	What Happened
CONTEXT	2020	COVID-19 normalizes QR codes; contactless everything
ATTACK	2021	Attackers begin exploiting QR code familiarity
EXPLOSION	2022-2023	Massive spike; Microsoft MFA and DocuSign lures dominate
RESPONSE	2023	SEGs add QR code detection and URL extraction
ADAPTATION	2024	QR codes in PDFs, split images, ASCII art QR codes
CURRENT	Present	Active threat; detection improving but evasion evolving

Key Events with Sources

Date	Event	Significance	Source
2020	COVID QR adoption	Pandemic normalizes QR codes for menus, payments, check-ins	General knowledge
2021	First quishing campaigns	Attackers exploit new user comfort with QR codes	Abnormal Security
Q3 2022	600%+ increase	QR phishing volumes explode	Cofense
2023	SEG QR detection	Email security vendors add QR scanning capabilities	Proofpoint
2024	Evasion techniques	Split QR codes, PDF embedding, ASCII art variants	Sublime Security

Overview

QR code phishing (“quishing”) embeds malicious URLs in QR codes within emails. Traditional email security scans text URLs but historically ignored images. Victims scan the QR code with personal phones, bypassing corporate security controls entirely and landing on phishing sites.

The Attack

Why QR Codes?

URL Obfuscation:

Traditional phishing: Click here → URL visible, can be scanned
QR phishing: [QR IMAGE] → URL hidden in image, harder to scan

Bypass Security:

Email security scans text, not images
URL reputation checks miss embedded URLs
Safe Links/URL rewriting doesn’t apply

Phone as Vulnerability:

Personal phones lack corporate security
No web filtering
Users trust phone scanning behavior

Common Lures

Microsoft MFA Reset:

Subject: Action Required: MFA Authentication Expiring

Your multi-factor authentication is expiring.
Scan the QR code below to re-authenticate.

[QR CODE → attacker's credential harvesting page]

DocuSign:

Subject: Document Ready for Signature

You have a document awaiting signature.
Scan to view and sign securely.

[QR CODE → fake DocuSign login]

HR/Benefits:

Subject: Open Enrollment - Action Required

Scan to update your benefits selections.
Deadline: [DATE]

[QR CODE → credential harvester]

Parking/Building Access:

Subject: Updated Parking Pass System

Scan to register your vehicle in the new system.

[QR CODE → phishing page]

Attack Flow

Victim receives email with QR code
Email security scans: no URLs, no attachments → passes
Victim scans QR code with personal phone
Phone opens browser → phishing page
Page mimics Microsoft 365 / corporate login
Victim enters credentials
Attacker captures credentials
Often: Real-time relay for MFA bypass

Technical Details

QR codes can encode:

URLs (most common)
Phone numbers (vishing setup)
SMS messages (smishing)
WiFi credentials
Contact cards

Attackers typically use:

URL shorteners (hide final destination)
Redirectors (avoid reputation hits)
Fresh domains (no negative reputation)

Defenses

Email Security Evolution

Modern SEGs now:

Extract images from emails
Detect QR codes in images
Decode embedded URLs
Check URL reputation
Apply same scanning as text URLs

Limitation: Attackers adapt with:

QR codes in attached PDFs
Partial QR codes (multiple images)
QR codes with visual noise

Mobile Device Management

MDM can provide:

URL filtering on managed devices
Warning banners for suspicious sites
Certificate inspection

Limitation: Personal phones often unmanaged.

User Training

Train users to:

Be suspicious of unexpected QR codes in email
Verify sender before scanning
Check URL after scanning, before entering credentials
Report QR code phishing attempts

Technical Controls

Block at the source:

Email contains: embedded image with QR code
AND sender: external
AND context: authentication/verification
→ Quarantine for review

Attacker Adaptation

Evasion Techniques

QR Code in PDF:

Attach PDF with QR code
Harder to scan automatically
User opens PDF, scans from there

Multi-Part QR:

Split QR code across images
Assembly required to decode
Evades simple QR detection

QR with Noise:

Add visual elements around code
Makes automated detection harder
Still scannable by phones

ASCII Art QR:

Render QR as text characters
Not detected as image
Phones can still scan

Redirect Chains

QR → bit.ly → legitimate-looking-redirect.com → phishing.site

Each hop:

Adds delay for reputation systems
May use legitimate services
Final destination not visible initially

Current State

Status: Active (and Evolving)

QR phishing has become a major threat:

Attack Advantages	Defensive Progress
Bypasses URL scanning	SEGs adding QR detection
Uses personal devices	MDM coverage increasing
Leverages post-COVID QR comfort	User awareness growing
Easy to generate	Detection improving

Detection Guidance

Email Indicators

Flag emails with:

Images containing QR codes
MFA/authentication themes
Urgency around access expiring
Request to use mobile device

User Reports

Encourage reporting:

Unexpected QR codes in business email
Requests to scan and authenticate
QR codes for benefits/HR/parking

Post-Click Analysis

If user scanned and entered credentials:

Reset credentials immediately
Check for MFA bypass (session theft)
Review sign-in logs
Check for persistence (app passwords, forwarding rules)
Determine what was accessed

SIEM Queries

email.has_image = true
AND email.image.contains_qr = true
AND email.sender.domain NOT IN (trusted_domains)
AND email.subject MATCHES (mfa|authentication|verify|expire|action required)

Defense	Introduced	Impact
QR Code Detection in Emails	2023	SEGs scan images for QR codes and extract URLs
QR URL Reputation Checking	2023	Extracted URLs checked against threat intelligence
Mobile Device Management	2022	MDM can warn on malicious URLs even on personal devices