Quishing: How QR Code Phishing Bypasses Your Email Filters

Your company’s email gateway can parse URLs, detonate attachments in a sandbox, and flag sender domains that were registered yesterday. It cannot read a QR code.

That is the entire premise of quishing. Attackers embed a malicious URL inside a QR code image, drop it into an email, and let the recipient’s phone do the rest. The email contains no clickable link. No suspicious attachment. Just a square of black and white pixels that your security tools treat as a harmless image file.

The attack is not new, but it scaled fast. Abnormal Security’s 2024 threat report found that QR code phishing attacks increased by over 400% in the second half of 2023 compared to the same period in 2022. HP Wolf Security documented corporate quishing campaigns impersonating Microsoft 365, DocuSign, and internal HR portals throughout 2024.

What makes quishing different from garden-variety email phishing is the device switch. The victim reads the email on their laptop but scans the code with their phone. That phone usually sits outside the corporate security perimeter. No web proxy, no DNS filtering, no endpoint detection. The attacker just moved the entire attack to an unmanaged device.

Quishing is a phishing technique where attackers encode a malicious URL inside a QR code and deliver it through email, print, or physical placement. The term combines “QR” and “phishing.” When someone scans the code, their device opens a URL that typically leads to a credential-harvesting page, a malware download, or an OAuth authorization prompt designed to steal account access.

The reason quishing works so well against organizations is structural. Email security platforms operate on URLs and file signatures. A QR code is neither. It is a PNG or SVG image embedded in the email body, and most email gateways do not decode images to extract embedded URLs. Even platforms that have added QR code scanning struggle with false positive rates, because legitimate QR codes appear in marketing emails, event invitations, and internal communications every day.

The attack follows a predictable pattern, but each stage exploits a different gap in corporate defenses.

The attacker sends an email that looks like it came from a trusted source. Common pretexts include Microsoft 365 MFA setup notices, SharePoint document sharing notifications, HR policy acknowledgments, and package delivery confirmations. The email body contains a QR code and text urging the recipient to scan it. Sometimes the email explicitly says the link “only works on mobile devices” to justify the QR format.

Unlike traditional phishing, the email has no embedded URL for security tools to inspect. The QR code is rendered as an inline image. Some attackers go further and use ASCII art or HTML table-based QR codes that do not even register as image files during scanning.

The recipient scans the QR code with their phone camera. Modern smartphones open URLs automatically after scanning, which means the victim may land on the phishing page before they have a chance to inspect the destination. Even careful users who check the URL preview on their phone screen face a challenge: attackers use URL shorteners, redirect chains, and legitimate-looking domains to make the destination appear safe for the half-second it is visible.

The phone opens a page that mimics a Microsoft 365 login, a Google Workspace prompt, or a corporate SSO portal. The page looks real. It asks for credentials. If the target enters them, the attacker captures the username and password in real time. Many quishing kits also proxy the login to the real service and intercept the MFA code, defeating two-factor authentication entirely.

This real-time proxying is the same technique used in adversary-in-the-middle (AiTM) phishing frameworks. The difference is delivery: instead of sending a clickable link, the attacker sends a QR code.

Email security tools were built to inspect two things: URLs and files. QR codes are neither.

A Secure Email Gateway (SEG) parses the email body for hyperlinks, extracts them, and checks each one against threat intelligence databases, URL reputation services, and real-time sandboxes. None of that works when the URL is encoded as a matrix of pixels inside an image.

Some enterprise email platforms (Microsoft Defender for Office 365, Proofpoint, Abnormal Security) have added QR code image decoding to their scanning pipelines since late 2023. But detection rates remain inconsistent. Attackers already adapt by using QR codes that redirect through multiple URL shorteners, embedding QR codes inside PDF attachments instead of inline images, or splitting the QR code across multiple image fragments that reassemble visually but confuse automated scanners.

The fundamental problem is not a single vendor’s limitation. It is that QR codes shift the interaction from a managed desktop browser to an unmanaged mobile device. Even if the email gateway decodes the QR code and flags the URL, the employee may still photograph the QR code from a printed copy or a shared screen, bypassing email security entirely.

Email is the most common delivery channel, but it is not the only one.

Printed materials. Attackers place malicious QR codes over legitimate ones on parking meters, restaurant menus, conference badges, and public signage. The FBI issued a public warning about this in January 2022, after reports of tampered QR codes on parking meters in multiple U.S. cities redirecting users to fraudulent payment portals.

Internal documents. Attackers who gain initial access to a corporate network sometimes embed malicious QR codes in internal wiki pages, shared documents, or Slack messages. These carry higher trust because they come from “inside.”

Physical mail. QR codes in fake invoices, compliance notices, or benefits enrollment letters mailed to employees’ home addresses. This bypasses corporate email security completely and catches people in a low-suspicion context. The Swiss National Cyber Security Centre (NCSC) warned about a wave of these in November 2023, with fake postal notices containing QR codes that downloaded Android malware.

Social engineering combos. Quishing pairs well with callback phishing. The email contains a phone number and a QR code. “Call us or scan the code for faster service.” Two attack channels in one email, and neither contains a traditional phishing link.

Most of the detection rules that work for link-based phishing do not apply to quishing, because there is no link to hover over. You need a different mental checklist.

Question why a QR code is necessary. If the email is from IT, HR, or a vendor, ask yourself: why would they send a QR code instead of a regular link? Internal systems have URLs. Legitimate services have login pages you can navigate to directly. A QR code is almost always unnecessary in a corporate email context.

Check the sender carefully. Quishing emails impersonate the same brands that traditional phishing does: Microsoft, Google, DocuSign, your company’s own domain. Look at the actual sender address, not the display name. If the “Microsoft Security Team” is emailing from a random domain, that is your answer.

Preview before you visit. When you scan a QR code on most phones, the URL appears briefly before the browser opens. Read it. If the domain does not match the organization the email claims to be from, do not tap through. If it uses a URL shortener like bit.ly or tinyurl, treat it as suspicious.

Verify through a separate channel. If the email says you need to re-authenticate or confirm your identity, go to the service directly by typing the URL yourself. Do not scan the code. This is the same advice that applies to smishing and every other phishing variant: never use the contact method provided in the suspicious message itself.

The two attacks aim for the same outcome but take different paths to get there.

The device switch is the big one. When the attack moves to a personal phone, the organization loses visibility. No web proxy logs, no DNS query records, no endpoint telemetry. The credential theft happens on a device your security team does not control.

Traditional phishing detection training teaches employees to hover over links. That skill is useless against a QR code. Your training program needs to address both attack types separately, because the detection heuristics are different.

Quishing is rarely the entire attack. It is the initial access step in a longer chain.

The most common follow-on is business email compromise. The attacker captures an employee’s Microsoft 365 credentials through a quishing page, logs in from a proxy that matches the victim’s geographic location to avoid impossible-travel alerts, and begins sending emails from the compromised account. Those emails carry the trust of a real internal sender, which makes subsequent social engineering much more effective.

Quishing also feeds into account takeover campaigns. Once the attacker has valid credentials and can intercept MFA tokens, they can access SharePoint, OneDrive, Teams, and any other integrated service. From there, the playbook matches what you see in credential stuffing scenarios: data exfiltration, lateral movement, and in some cases, ransomware deployment.

Standard phishing awareness training does not prepare employees for QR code attacks. The skill of hovering over a link to check the URL is the single most taught phishing detection technique, and it is completely irrelevant when the URL is encoded in an image.

Quishing training needs to build a separate set of reflexes.

Teach the “why would this be a QR code?” question. The most effective single habit is teaching employees to question the format itself. Legitimate internal communications almost never require a QR code. If an email from IT asks you to scan a QR code to update your credentials, the format is the red flag.

Practice QR code URL previewing. Most employees do not know their phone shows a URL preview before opening it. Walk them through the behavior on both iOS and Android. Make them practice scanning safe QR codes and reading the destination before tapping.

Address the device switch. Employees need to understand that scanning a QR code from a work email on a personal phone moves the attack outside corporate security controls. The phone has no web proxy, no managed browser, no endpoint protection from the company. That context matters.

Include quishing in simulation exercises. Send QR code phishing emails as part of your regular simulation program. Employees need to encounter these in a controlled environment before they face a real one. Our QR code phishing exercise simulates a realistic corporate quishing attempt so employees can practice identification and response.

Reinforce across channels. Because quishing also appears in printed materials and physical locations, training should extend beyond email. Teach employees to be skeptical of QR codes on posters, conference handouts, and even codes taped to equipment. If they did not personally generate or expect the QR code, they should verify it before scanning.

See what a corporate quishing attack looks like before you face a real one. Try our free QR code phishing exercise and practice spotting malicious QR codes in realistic email scenarios. For broader coverage, explore our security awareness training catalogue for exercises on phishing, smishing, email security, and social engineering.