QR code phishing is the latest evolution of social engineering — targeting mobile-first behaviours and security expectations around multi-factor authentication. These attacks embed malicious URLs within QR images, which are often scanned on mobile devices that lack URL preview features.
QR code phishing, or “quishing”, is rapidly emerging as a preferred tactic for sophisticated attackers seeking to bypass text‑ and link‑based email defences.
By embedding malicious URLs inside seemingly innocuous QR images, adversaries are redirecting users to credential‑harvesting portals or malware delivery sites without triggering traditional filters.
How it Works
- Emails masquerade as MFA notifications, invoice confirmations or account alerts, featuring an inline QR code or a QR image in a PDF/Microsoft Office document attachment.
- When scanned, typically via a mobile device, the QR resolves to a fake login page or malware‑drop server.
- Advanced campaigns embed CAPTCHA‑style checks and JavaScript routines to capture multi‑factor tokens or session cookies, enabling full account takeover.
- QR payloads hidden in images sidestep URL‑scanning engines and link‑parsing rules, evading filters searching for malicious links.
- On smaller mobile screens, users rarely preview URLs before scanning, and device settings often auto‑open QR links.
- Attackers rotate landing‑page templates and domain infrastructure with dynamic obfuscation techniques, reducing the lifespan of blacklists and reputation rules.
- With data encoding layers, attackers embed a short redirect URL (e.g. bit.ly or custom domains) which then chains to the final phishing or malware URL, minimizing the visible payload size and evading simple signature checks.
- Dynamic code generation means payload URLs are often generated on the fly, with unique tokens per recipient to foil blacklist-based defences and enable per‑target tracking.
- Steganographic obfuscation in some campaigns overlays benign logos or incorporate the QR within benign imagery, requiring advanced image‑processing (beyond basic OCR) to isolate and decode the actual code.
“By concealing phishing URLs within QR images and leveraging mobile device behaviours, adversaries can harvest credentials and session tokens, straight from mobile endpoints, completely under the radar of static, signature‑based defences.”
— Anwar Ibrahim, CTO, MailGuard
Key Points for Partners
- Quishing campaigns appear as MFA requests, invoices, or account alerts and contain QR codes in the email body or PDF attachments.
- Scanning a malicious QR code can lead to credential theft, token capture, or drive-by malware downloads.
- Obfuscation techniques like steganography and CAPTCHA-gated redirects make detection even harder.
Here’s What It Looks Like
Attackers attempt to bypass email filters by embedding an image of a custom QR code in an email, rather than a link to a phishing page. When scanned by a mobile phone camera, the QR code image will open the phishing page instead. This example is masquerading as a security notification that a ‘mandatory 2FA security update’ is required.
Upon arrival at the phishing page, users are presented with a number of CAPTCHA prompts which mandate that the web client is an actual browser (or can simulate a browser) and is actively executing JavaScript.
This example is attempting to harvest the user’s Microsoft credentials.
“Quishing represents a paradigm shift in phishing, blurring the line between physical and digital attack surfaces. Without robust image‑analysis and real‑time detonation, organisations leave their most critical assets exposed.”
— Prathik Chandrashekar, Head of Engineering, MailGuard
Advice to Share with Clients
Encourage users to verify QR code sources, especially those received via email. Organisations should assume attackers are targeting the weakest device in the chain — and for many, that’s the mobile endpoint.
Want to learn more or arm your team with the latest insights?
Reach out to your MailGuard Partner Manager today or contact expert@mailguard.com.au.
Your expertise, combined with MailGuard’s leading-edge technologies, gives your clients a decisive advantage.
🚀 Let’s build the future of cyber resilience together.
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist third-party cloud email solution like MailGuard.
For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, zero zero-day email security. Special Ops for when speed matters! Our real-time zero zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
