Quishing: The QR Code Attack That's Bypassing Every Email Filter You Have

The QR Code in Your Inbox Is Probably a Trap

Imagine this: an employee gets an email that looks like it's from Microsoft. The message warns that their account will be locked unless they verify their identity immediately. There's no suspicious link — just a QR code. The employee pulls out their phone, scans it, and lands on what looks like a legitimate Microsoft login page. They enter their credentials. Game over.

This is quishing — QR code phishing — and it's one of the fastest-growing attack techniques of 2026. Cybercriminals have discovered a brutal truth: your email security gateway inspects links and attachments, but it can't read a QR code. The malicious URL is hidden inside a pixelated square that security tools treat as a harmless image, while attackers waltz right through your defenses.

If your organization isn't training employees to spot quishing attacks, you have a gap that no technology alone can close.

---

Why Quishing Works So Devastatingly Well

QR codes became mainstream during the pandemic — menus, payment terminals, boarding passes, event check-ins. Employees are now conditioned to scan them without a second thought. Attackers are exploiting that muscle memory.

Here's why quishing is so effective:

It Neutralizes Your Email Security Stack

Secure Email Gateways (SEGs) and anti-phishing tools work by analyzing URLs, attachments, and sender reputation. A QR code is just a JPEG or PNG image embedded in an email. The malicious URL lives inside the image — invisible to scanners that don't perform optical character recognition (OCR) and real-time link analysis on every embedded graphic. Most don't.

It Hijacks the Most Vulnerable Device in Your Fleet

When an employee scans a QR code with their personal smartphone, they're browsing on a device your IT team probably has zero visibility into. No corporate VPN, no endpoint detection, no browser extension warning them about the fraudulent site. The attack jumps from a corporate email environment onto an unmanaged, unmonitored device in seconds.

It Exploits Urgency and Authority

Like all phishing, quishing attacks lean on psychological pressure. Common lures include:

• Fake multi-factor authentication prompts — "Scan to re-authenticate before your session expires."
• Payroll and HR fraud — "Scan to update your direct deposit details."
• Package delivery scams — "Scan to schedule your delivery and avoid fees."
• Executive impersonation — A "message from the CEO" with a QR code to a "confidential document."

The best quishing emails look flawlessly legitimate — correct logos, fonts, and sender names. There's no misspelled link to catch, because there's no visible link at all.

---

Real-World Quishing: How Big Is the Problem?

Quishing attacks surged dramatically in recent years. Security researchers have observed campaigns targeting major enterprises, government agencies, and financial institutions with QR-code-laden emails that bypassed leading email security vendors entirely.

Energy companies, banks, healthcare systems, and tech firms have all been hit. In several documented cases, attackers used quishing to steal Microsoft 365 credentials, then pivoted to business email compromise (BEC) attacks — redirecting wire transfers and intercepting sensitive communications.

The damage isn't hypothetical. And the volume is climbing because the technique works.

---

Anatomy of a Quishing Attack: Step by Step

Understanding the attack chain helps you train employees to break it at the right moment.

1. The lure lands in the inbox. The email passes through filters because it contains no malicious link — just an image with a QR code and urgent-sounding text.

2. The employee scans with their phone. Their personal device has none of the corporate security controls that might flag a suspicious URL.

3. They land on a convincing fake login page. The site is often hosted on legitimate cloud infrastructure (Azure, AWS, Cloudflare) to avoid domain blacklists. It may use an adversary-in-the-middle (AiTM) proxy to capture not just credentials, but session cookies — bypassing MFA entirely.

4. Credentials (and session tokens) are stolen in real time. The attacker immediately authenticates to the real Microsoft 365, Google Workspace, or banking portal before the victim even realizes something is wrong.

5. The pivot begins. With account access, attackers exfiltrate data, set up email forwarding rules, launch BEC attacks against partners and clients, or deploy ransomware.

---

How to Defend Against QR Code Phishing

No single tool stops quishing — it requires a layered strategy that puts human awareness at the center.

Train Employees to Treat QR Codes Like Suspicious Links

Your employees know (or should know) not to click unfamiliar links. They need the same instinct for QR codes. Key training points:

• Never scan a QR code in an unexpected email, even if it appears to come from Microsoft, IT, HR, or a known vendor.
• Preview the URL before visiting it. Most phones show the destination URL before opening the browser — train employees to check it. If the URL looks odd, don't proceed.
• Verify through a separate channel. Got a QR code from "HR" about payroll? Call HR directly. Got one from "IT"? Open a support ticket independently.
• Report suspicious emails immediately. A quick report could stop an attack before it reaches dozens of other colleagues.

Implement QR-Aware Email Filtering

Ask your email security vendor whether their platform performs OCR on embedded images to extract and scan URLs within QR codes. Many enterprise platforms now offer this capability, but it may need to be explicitly enabled. If your current vendor doesn't support it, factor that into your next procurement decision.

Enforce Phishing-Resistant MFA

Traditional TOTP and SMS MFA codes can be captured by AiTM proxy attacks. Move toward phishing-resistant authentication methods — hardware security keys (FIDO2/WebAuthn) or passkeys — which are bound to the legitimate domain and cannot be relayed to an attacker's proxy site.

Run Quishing Simulations

The single most effective way to find out who in your organization would fall for a quishing attack is to run one safely, before real attackers do. PhishDefense's multi-channel simulation platform lets you send realistic QR-code phishing simulations to your employees and track who scans, who visits the landing page, and who enters credentials — then automatically enroll those individuals in targeted micro-training.

This isn't about gotcha moments. It's about building a measurable, data-driven picture of your human attack surface, and systematically reducing it.

---

The Dangerous Assumption Killing Your Security Posture

Many organizations assume their technology stack is their primary defense. Firewalls, SEGs, endpoint detection — if those tools didn't flag it, it must be safe.

Quishing attacks are engineered specifically to exploit that assumption. The message is clear: technology has limits, and attackers know exactly where those limits are. Your employees are the last line of defense, and they need to be trained, tested, and equipped to hold that line.

The good news? Employees who've been trained — and who've experienced a simulated quishing attempt — are dramatically less likely to fall for the real thing. Awareness, combined with clear reporting procedures, turns your workforce from a vulnerability into a genuine defensive asset.

---

Don't Wait for a Real Attack to Find Your Weak Spots

Quishing is not a future threat. It's happening today, and it's hitting organizations that believe their email security tools have it covered. They don't.

The most resilient organizations are running phishing and quishing simulations regularly, measuring employee risk scores by department and role, and using those insights to focus training where it matters most.

Ready to find out how many of your employees would scan a malicious QR code? Run a quishing simulation with PhishDefense and get a clear picture of your human risk — before an attacker does it for you.