QR codes are everywhere. You use them to pay for coffee, pull up a restaurant menu, or quickly log into an app on your computer. This convenience has made QR codes a trusted part of our daily lives, and cybercriminals are taking full advantage of that trust. What started as a niche threat has exploded into a major problem, with QR-led phishing campaigns, dubbed “quishing”, accelerating dramatically since late 2023.
Quishing is a clear sign that adversaries are adapting to our defenses. This new wave of attacks is particularly dangerous because it exploits a critical blind spot in corporate security: the pivot from a secure, managed work device to an unmonitored personal phone. By understanding how these attacks bypass traditional security and implementing new hunting strategies, you can significantly reduce your risk of a successful account takeover.
How Quishing Works: A Perfect Storm of Deception
The anatomy of a quishing attack is a masterclass in social engineering and technical evasion. It all starts with a simple-looking email. Instead of a clickable link, the message contains a QR code. This is where the deception begins…
The Bait
An attacker sends an email designed to create a sense of urgency or curiosity. It might be a fake “password reset” notification, a “two-factor authentication” prompt, or a message about a pending invoice. The email itself often contains very little text and is mostly an image with the QR code.
The Scan
The user, conditioned to trust QR codes, instinctively pulls out their phone and scans it. This is the critical moment when the user moves off their protected corporate laptop and onto an unmanaged mobile device, where corporate security tools have little to no visibility.
The Attack
The scanned QR code leads the user to a malicious website. Attackers use sophisticated techniques like Adversary-in-the-Middle (AiTM) pages to steal credentials and session cookies in real time. In a more advanced attack known as QRL-jacking (QR Login Abuse), the site tricks the user into a login flow that generates a live session token, giving the attacker immediate access to their account—often bypassing multi-factor authentication (MFA).
The Fallout
Once an attacker has access, they move fast. They can manipulate mailbox rules to hide future malicious emails, commit vendor fraud, or escalate the attack into a full-blown Business Email Compromise (BEC) scheme.
Why Quishing Is So Hard to Stop
Traditional security tools and teams struggle to detect and block these attacks for several reasons.
- Invisible Traffic: While many email security systems can scan QR codes, their ability to do so consistently across different file types (like images or PDFs) and complex redirect chains is often inconsistent. The final malicious link is often hidden behind multiple cloud redirects or URL shorteners that strip away key indicators security teams rely on.
- The Unmanaged Mobile Problem: The attack happens on the user’s personal phone, which is typically outside the monitoring scope of corporate security teams. This means there’s no click telemetry, no network logs from a corporate proxy, and no visibility into what happens after the QR code is scanned.
- A “Normal” Appearance: In QRL-jacking attacks, the victim’s login process yields a valid session token, not a failed MFA attempt. To security logs, this activity looks completely normal, making it incredibly difficult to spot.
Strategies for a Stronger Defense
Security teams need to look beyond traditional email and web gateway tools and stitch together insights from multiple data sources.
1. Hunt for Sign-In Anomalies
Attackers will often log in from a new or unmanaged device shortly after the phishing email is sent. By correlating risky sign-ins with the timing of these campaigns, you can flag suspicious activity and respond faster.
2. Analyze Email Sender Patterns
Look for inbound email campaigns that are heavy on images and have a similar subject or sender pattern. These emails are designed to deliver the QR code without raising suspicion from text-based scanning.
3. Fingerprint File Signatures
Instead of chasing ever-changing malicious links, focus on the static elements of the attack. You can create a signature or a hash based on the metadata of the image or PDF file to capture entire campaign families, even as the destination URLs change.
4. Stitch Together the Narrative
The most effective strategy is to combine data from your email security, identity, and session logs. Use a common identifier, like the message ID, to thread together the email, the user’s authentication events, and the subsequent session activity. This creates a clear, end-to-end narrative of the attack, allowing your security operations center (SOC) to respond with speed and precision.
Next Steps
As QR codes become more embedded in our daily lives, these attacks will only become more frequent and harder to detect. The challenge for cybersecurity teams is to move beyond conventional defenses and adopt proactive, data-driven hunting strategies. By correlating email, identity, and session data, and by focusing on behavioral anomalies rather than just static indicators, you can turn a blind spot into a source of intelligence.
Download our essential resources for a complete breakdown of the modern quishing threat: