QR Phishing (Quishing)

QR phishing (quishing) is a social engineering attack where threat actors embed malicious URLs inside QR codes delivered via email, SMS, or physical media. Because the payload is an image rather than a hyperlink, traditional email security gateways that scan for malicious links often fail to detect it. Victims are directed to credential-harvesting pages or malware distribution sites after scanning the code with a mobile device.

Mobile devices used to scan QR codes typically have weaker security controls and less endpoint visibility than corporate workstations, making post-click detection harder. Quishing campaigns have been used to steal Microsoft 365 and other SSO credentials at scale, including targeted attacks against executives. Because the attack surface shifts to the user's personal phone, traditional EDR and network monitoring tools may never see the malicious traffic.

An attacker crafts an email that appears to come from a trusted sender — commonly impersonating IT departments, DocuSign, or multi-factor authentication prompts — and embeds a QR code as an inline image or inside a PDF attachment. The QR code encodes a URL pointing to an attacker-controlled site, often protected by a redirect chain or CAPTCHA to evade automated scanners. When the victim scans the code with their phone, the browser is sent through one or more redirects before landing on a convincing login page that harvests credentials in real time.