Quishing Evasion: Malicious QR Codes Bypassing Security Filters

The landscape of Phishing is undergoing a significant tactical shift as attackers increasingly adopt ‘quishing’ (QR code phishing) to circumvent traditional security controls. According to SANS Internet Storm Center, these attacks are particularly effective because they leverage image-based delivery to hide malicious URLs from text-based scanning engines. By embedding a malicious link within a QR code, threat actors ensure that traditional Secure Email Gateways (SEGs) which only inspect body text and standard attachments may fail to flag the message as a threat.

The Technical Evasion of Security Filters

The primary technical challenge for defenders is that many email security products are not configured to perform Optical Character Recognition (OCR) or image analysis on every incoming message. Attackers exploit this gap by placing QR codes inside PDF documents or embedding them as PNG images within the email body. This TTP allows the malicious payload to transit the perimeter without being detonated or analyzed for reputation. Furthermore, because QR codes are designed to be scanned by mobile devices, the subsequent malicious activity often occurs on a device that is outside the corporate EDR or SIEM visibility, facilitating a clean break from monitored network traffic.

Advanced attackers are also employing techniques to further obfuscate these codes. This includes adjusting the contrast, adding ‘noise’ to the image, or using multi-layered image files where the QR code is only reconstructed upon rendering by the mail client. These methods make it increasingly difficult for simple image-matching algorithms to detect the threat. Once scanned, the victim is typically redirected through multiple shortened URLs or legitimate-looking landing pages to harvest credentials, often for cloud services like Microsoft 365.

How to Detect Quishing Attacks and QR Code Evasion

To effectively identify these threats, a SOC must evolve its detection capabilities beyond simple pattern matching. A critical component of a modern defense strategy is the integration of image analysis tools that can automatically extract and decode URLs from images in real-time. Organizations should look for indicators such as high-volume emails containing only an image and minimal text, which is a common signature of automated quishing campaigns.

Monitoring for unusual login locations following the receipt of an image-heavy email can also serve as a behavioral IoC. If a user scans a code on their mobile device and then authenticates from a non-corporate IP address, this should trigger an immediate investigation into potential credential theft. Analysts should also correlate mail logs with mobile device telemetry to identify when a user navigates to a suspicious domain immediately after opening a specific message.

QR Code Phishing Mitigation Steps for Defenders

Security teams should prioritize several technical and administrative controls to reduce the risk of successful quishing. First, ensure that email gateways are configured to block or sandbox emails containing QR codes from untrusted external senders. If blocking is not feasible, these messages should be flagged with a warning banner to alert the user of the potential risk.

Second, defenders must implement a Zero Trust approach to mobile device security. This includes deploying mobile threat defense (MTD) solutions that can intercept malicious network requests at the device level, regardless of how the URL was accessed. Finally, user awareness training must be updated to specifically include quishing simulations. Users should be instructed to never scan QR codes in emails requesting sensitive information or password resets, as this remains a primary vector for MITRE ATT&CK technique T1566.003 (Phishing: Malicious Service).