Picture this. Your accounts payable coordinator gets an email from what looks like your payroll software provider. The message is clean — no grammar errors, no suspicious sender domain, nothing that a trained eye would flag. It tells her there's an update required before the end-of-month payroll runs. Click or scan the code below to verify your account. She's on her phone because she just stepped away from her desk. She opens the camera. The code resolves. She's looking at what appears to be your payroll platform's login page.
She's already been phished. And nothing in your security stack saw it happen.
That scenario plays out thousands of times a day in 2026. QR code phishing — quishing, in the industry shorthand — has moved from a fringe curiosity to one of the fastest-growing attack vectors in enterprise security in under three years. The numbers are stark. Microsoft detected a 146% surge in quishing attacks in Q1 2026. The volume of malicious QR codes embedded in emails jumped from roughly 47,000 per month in August 2025 to over 249,000 by November. In January 2026, the FBI issued a flash alert that North Korean-affiliated threat actors were targeting U.S. government entities, think tanks, and academic institutions specifically using QR codes in spear-phishing emails. Over 4.2 million unique malicious QR codes were identified in the first half of 2025 alone.
None of this is coincidence. Attackers adopted QR codes for a precise reason — not because the technique is clever, but because it is architecturally effective. Your email gateway was built to parse text, extract URLs, and check them against blocklists. A URL encoded inside the pixel matrix of a QR code image isn't text. It doesn't get extracted. It doesn't get checked. It sails straight through.
This piece walks through exactly how quishing works, why the detection gap is structural rather than a configuration problem, what real 2026 campaigns looked like on the ground, and what it takes to build a layered email security posture that can reason about threats that never show their URL to the gateway.
Quishing is structurally identical to traditional credential-phishing in every dimension except one: the delivery mechanism. The goal is the same — steal credentials, capture a session token, harvest MFA codes, redirect a payment. The lure is the same — urgency, authority, a trusted brand name, a familiar service. The landing page is the same — a cloned Microsoft 365 login, a spoofed payroll portal, a fake DocuSign verification screen.
The difference is that instead of putting a malicious hyperlink in the email body where a gateway can find it, the attacker encodes that URL inside a QR code and embeds the QR code as an image in the email. That single change breaks the entire text-parsing detection model that most email security tools are built on.
A QR code is just a matrix of black and white squares encoding data — in this case, a URL. Human eyes cannot read it. Email gateways built on text analysis cannot read it without specialized optical character recognition, which most don't have. And even the few that have added basic QR decoding can be defeated by techniques that have become standard: split QR codes distributed across multiple image files, QR codes embedded on later pages of PDF attachments where shallow scanning stops, Unicode-based QR constructions that appear as formatted text to parsers, and dynamic QR codes that point to a clean destination at scan time and redirect to the malicious payload afterward.
The URL your gateway needs to see is right there — encoded in the image it just passed through. It never had a chance to flag it.
There's a second structural advantage quishing has over link-based phishing, and it's the one that makes the detection gap genuinely hard to close. When a corporate user scans a QR code from their phone, the click happens on a personal mobile device. Not the managed corporate endpoint with endpoint detection, web proxy, DNS filtering, and DLP controls. A personal phone, connected to cellular data or a home Wi-Fi network, with a consumer browser and none of the corporate security stack anywhere in the chain.
That shift from managed endpoint to personal mobile is deliberate. Attackers design quishing campaigns specifically for phone scans because they know the corporate perimeter has no visibility there. An IT team can see every link clicked on a managed laptop. They can see nothing about what happens on the personal phone an employee uses to scan a QR code from their work inbox.
73% of people scan QR codes without checking the destination URL first — NordVPN/CNBC, 2025
The trust problem compounds this. QR codes carry a residual legitimacy built up through years of legitimate use — restaurant menus, payment terminals, conference badges, COVID-19 check-ins. Most users have a deeply conditioned reflex to scan and follow. The Anti-Phishing Working Group documented a 400% increase in image-based phishing attacks heading into 2025 specifically because attackers recognized this trust and moved to exploit it at scale.
The tactics have matured considerably from the early quishing campaigns, which were often clumsy — a standalone QR code image in an otherwise sparse email, sent from a suspicious domain. Current campaigns are constructed with the same investment in social engineering that sophisticated spear-phishing campaigns have always required.
In January 2026, the FBI's flash alert documented how North Korean-affiliated Kimsuky actors had incorporated QR codes into targeted spear-phishing emails aimed at U.S. government entities, academic institutions, and think tanks. The lures were research-related — documents, publications, invitations to comment on policy papers — calibrated to the specific interests and professional context of each target. The QR codes resolved to credential-harvesting pages designed to capture both login credentials and session tokens via adversary-in-the-middle proxying.
The Kimsuky campaign matters beyond its geopolitical context for two reasons. First, it establishes that quishing has moved fully into the toolkit of nation-state-level threat actors — it isn't just a commodity technique run by low-sophistication affiliates. Second, it confirms the convergence between quishing and AiTM session-token theft that makes these attacks dramatically more damaging than simple credential phishing. When a quishing campaign is also running an AiTM relay on its landing page, the attacker captures a live session after MFA completes — not just a static password that MFA would still protect against.
In March 2026, researchers at 7AI documented a three-wave quishing operation that ran between February 26 and March 18. The attacker delivered 28 spear-phishing emails directly to enterprise inboxes across three coordinated waves. Not one of those emails was blocked by the recipients' security tooling. Each passed SPF, DKIM, and DMARC authentication. Each carried a phishing URL encoded inside a BMP image attachment — a format specifically chosen because it is structurally invisible to every text-based email control. No macros, no scripts, no visible URLs anywhere in the message. Nothing to scan. Nothing to flag.
The same researchers noted that the payload delivery format itself keeps evolving. What started as QR codes embedded in simple image attachments has expanded to QR codes split across multiple image objects inside a single PDF, QR codes placed on later pages of multi-page documents where shallow scanning stops, CAPTCHA-gated landing pages that force user interaction before the malicious payload renders, and dynamic QR codes that resolve to a clean URL at delivery time and only redirect to the phishing page after a defined interval.
One large U.S. energy company found 29% of over 1,000 emails it received contained malicious QR codes in a single campaign window. The lure was a Microsoft 365 account verification notice — a PNG image or PDF attachment carrying a QR code, framed around urgency about account expiration or security verification. Scanning led to a fake Microsoft 365 login page engineered to harvest both credentials and session tokens. Palo Alto Networks Unit 42 telemetry averaged more than 11,000 malicious QR code detections per day during peak campaign periods in early 2026, with a notable concentration in enterprise email environments using Microsoft 365.
In March 2026 specifically, Microsoft observed a 336% single-month surge in QR codes being delivered directly in email bodies rather than inside PDF attachments — a tactical shift by attackers who realized some organizations had started scanning PDFs more aggressively, and simply moved the payload to where scanning was lighter.
It's worth being honest about why this problem is hard, rather than framing it as something that a simple configuration change fixes. The gap isn't a missing feature. It's an architectural mismatch between how email security was designed and how this specific threat works.
Secure email gateways were built to inspect text. They parse message headers, extract URLs from the email body and HTML, check those URLs against reputation databases, and flag patterns that match known phishing templates. This architecture works well for the threat it was designed to catch. A malicious URL in plain text or an HTML href attribute gets extracted and checked. A malicious URL encoded in the pixel matrix of an image file is, from the gateway's perspective, not a URL at all. It's an image. It passes through.
Cyble's Scanception research found that roughly 80% of analyzed QR-bearing phishing PDFs had zero VirusTotal detections at first sight. That number reflects the fundamental mismatch: VirusTotal and most gateway scanning engines are looking for signatures in executable content, not for URLs hidden in image matrices.
Some organizations have added QR decoding to their gateway infrastructure — optical character recognition that reads the QR code, extracts the URL, and checks it against a reputation database at the time the email is scanned. This is a meaningful improvement. It's also defeated by dynamic QR codes, where the destination URL is set by the code's management platform and can be changed after the email is delivered.
An attacker using a dynamic QR code points it at a clean, benign URL when the email is first scanned — defeating time-of-delivery checking. After a defined interval, they update the destination to the malicious landing page. The employee who scans the code hours later reaches the phishing page. The gateway's record shows a clean URL at scan time.
Even a gateway that successfully decodes a QR code and identifies its URL as malicious can only block the email from reaching the managed corporate inbox. If the employee scans the QR code from a printed document, a screen share, or a second device, that click happens entirely outside the corporate security stack. Quishing campaigns increasingly account for this by designing lures that encourage physical scanning — a printed HR notice posted in a break room, a QR code sticker placed over a legitimate poster, a code sent via a personal text message to a work contact.
The targeting data on quishing is worth sitting with, because it tells a specific story about who attackers consider most valuable and why.
C-suite executives receive 42 times more QR code phishing attempts than the average employee, according to enterprise telemetry from Abnormal Security. That ratio reflects the same logic as whaling — the potential payout from a successfully compromised executive account is exponentially higher than a frontline employee's. A CFO's credentials unlock financial systems, M&A data, and the authority to initiate large transfers. A marketing coordinator's credentials unlock the marketing platform.
The lure categories follow a consistent pattern. In enterprise telemetry, 90% of QR code attacks are credential phishing. 27% specifically impersonate MFA activation notices — a particularly effective lure because it places the QR code in a context where scanning feels like a required security action rather than a suspicious request. 21% impersonate shared-document notifications — the same living-off-trusted-sites logic that made SharePoint-based AiTM lures so effective in the January 2026 energy sector campaign.
The quishing targeting data skews toward organizations that run on Microsoft 365 or Google Workspace with software-based MFA — push notifications, TOTP codes, SMS. That description covers the overwhelming majority of mid-market companies. Most also lack the image-aware email filtering and conditional access controls that limit what a stolen session can do. As we covered in why mid-market organizations are caught in the security gap, the combination of real financial transaction volume, lean security staffing, and standard-issue Microsoft 365 configuration is exactly what makes mid-market companies worth targeting at scale. QR phishing kits are cheap. The campaigns run against thousands of organizations simultaneously. The organizations best protected are the ones with resources to invest in layered, image-aware detection — which is not most mid-market companies.
12% of all phishing attacks now contain a QR code — up from negligible levels three years ago — Keepnet Labs, 2026
One of the more instructive things about quishing's evolution is how quickly the delivery format rotates when defenders add a new layer of detection. The sequence has been remarkably consistent.
Early quishing campaigns embedded QR codes as simple image files in the email body. When gateways started adding basic image attachment scanning, attackers moved QR codes into PDF attachments where scanner coverage was lighter. When organizations began scanning PDFs more aggressively, attackers moved QR codes to later pages of multi-page documents, past the point where shallow scanning typically stops. When some organizations added full-document QR decoding, attackers moved to split QR codes — fragmenting the pixel matrix across multiple image objects so that no single image decodes to a complete, scannable URL. And in March 2026, when PDF attachment scanning reached a broader baseline, attackers simply moved QR codes back into the email body, in a vector they'd temporarily abandoned.
The underlying dynamic is straightforward. Every detection layer that exists creates an economic incentive to find the delivery format that bypasses it, because the technique itself — hiding a URL inside an image — remains fundamentally sound as long as the gap between image rendering and URL extraction exists. The format is tactical. The structural gap is strategic.
One evasion technique that deserves specific attention is the CAPTCHA-gated landing page, which Microsoft's Defender Research team noted in its Q1 2026 threat reporting. The attacker places a CAPTCHA challenge between the QR code scan and the actual phishing page. The CAPTCHA serves two functions: it filters out automated analysis bots and security sandbox tools that don't solve CAPTCHAs, and it adds a veneer of legitimacy to the landing page — users are conditioned to associate CAPTCHA challenges with real, security-conscious services rather than with phishing pages.
Solving the CAPTCHA is easy for a human but creates a meaningful friction point for automated URL analysis. Some attackers use the CAPTCHA interaction itself as the payload delivery mechanism — displaying a command that the user is instructed to copy and execute, rather than redirecting to a credential-harvesting page.
Given the structural nature of the gap, closing it requires more than adding one layer. It requires rethinking what detection is actually inspecting and where in the chain it operates.
The foundational requirement is gateway-level QR code decoding — optical character recognition applied to every image in every email and attachment, extracting the encoded URL and submitting it to the same reputation and behavioral analysis that text URLs receive. This closes the basic gap for static QR codes. It's table stakes, not a complete solution, for the reasons described above — dynamic codes, split codes, and CAPTCHA gating all remain partially effective against it.
Because dynamic QR codes can point to a clean URL at delivery time and a malicious one after, time-of-delivery URL checking needs to be paired with continuous URL monitoring that re-evaluates extracted destinations over time. This is the same principle as time-of-click URL rewriting used for link-based phishing — checking the destination at the moment of interaction, not just at delivery. Applying it to decoded QR destinations requires infrastructure that most organizations have not yet deployed.
The most durable layer of quishing defense doesn't try to decode and check the QR URL. It evaluates whether the email containing the QR code makes sense — whether the sender relationship is real, whether the lure fits established communication patterns, whether the urgency framing is consistent with how this organization actually communicates. A payroll verification request with a QR code, arriving from a domain the organization has never corresponded with, sent to an accounts payable coordinator who has never received this type of request from this sender, is detectable before anyone needs to know what the QR code resolves to. This is precisely the reasoning TRACE applies — not pattern matching against the image content, but intent-based evaluation of whether the communication itself adds up. How TRACE powers real-time email threat prevention covers the full architecture, but the core logic is the same one that makes it effective against quishing: the intent behind a communication can be evaluated without reading the payload, if you understand the organizational context well enough.
No purely technical control closes the personal-device gap entirely. The detection layer can evaluate the email before it reaches the inbox. It cannot control what happens when an employee scans a QR code on their phone after receiving a printed document in the break room.
Organizations that are serious about quishing defense need a standing policy that is simple enough to actually follow: never scan a QR code from an email, a PDF attachment, or an unsolicited printed document and enter credentials as a result. Legitimate enterprise authentication flows — payroll updates, benefits enrollment, MFA resets, document verification — do not require scanning a QR code from an email on a personal phone. Full stop. That rule, stated plainly and reinforced consistently, closes a significant portion of the operational risk independent of any technical control.
One of the more counterintuitive things about quishing's trajectory is that it has continued to grow even as the security industry has talked about it more. Coverage has increased substantially since 2023. Vendor warnings are common. Security awareness programs at many organizations include QR code phishing training. And the attack volume went up fivefold anyway in 2025.
The reason is that awareness doesn't close a structural architectural gap. Telling employees to be careful about QR codes doesn't make their email gateway able to read QR images. Training users to pause before scanning doesn't add image-aware analysis to the scanning infrastructure that checked the email before it landed in their inbox. The gap is upstream of the human. Until the detection layer that processes the email can actually evaluate what a QR code resolves to — and reason about whether the email containing it makes sense — awareness training is playing a supporting role in a game where the architecture determines the outcome.
This is the same pattern that explains why the complete guide to BEC attacks consistently shows social engineering techniques outpacing human-layer defenses: the attacks are designed by people who understand exactly how trained users behave, and they design lures that navigate those trained behaviors rather than triggering them. A QR code arriving in an email that looks exactly like a legitimate payroll verification notice, sent from a clean domain with passing authentication, does not feel like a phishing attempt to most trained employees — because it was designed not to.
Quishing doesn't sit in isolation in the current threat landscape. It's increasingly a delivery mechanism for techniques that sit downstream in an attack chain, rather than a standalone attack.
The most consequential downstream pattern is the quishing-to-AiTM chain. A QR code lure that routes the victim through an adversary-in-the-middle phishing proxy captures a live session token after MFA completes — not just a static password. The Kimsuky campaign documented by the FBI's January 2026 flash alert explicitly used this pattern. The victim scans the QR code on their phone. They're walked through what looks like a normal login. MFA fires and they approve it. The AiTM proxy captures the session. The attacker has authenticated access to the account. From there, the attack chain can extend to vendor email compromise, payroll diversion, or the multi-stage account hijacking pattern documented in our analysis of downstream attack chains.
The other downstream pattern is quishing as a whaling delivery mechanism. Standard spear-phishing against executives has grown harder to execute convincingly at scale, because executives have received enough targeted phishing awareness training to be appropriately skeptical of emails asking them to click a link. A QR code sidesteps that specific trained skepticism — it doesn't ask them to click a link, it asks them to scan an image on their phone, which feels like a different and somehow less suspicious action. Sixty-eight percent of quishing attacks specifically target mobile users, and C-suite executives are 42 times more likely to receive a QR code attack than the average employee. That combination is not accidental.
There's something almost elegant about what quishing does, from a purely technical standpoint. The malicious URL isn't hidden in the dark web or obfuscated in encrypted traffic. It's in the email. Sitting there in plain sight, encoded in a matrix of black and white squares that your gateway scanned, passed, and moved on from, because nobody taught the gateway to look inside images.
That's not a criticism of the gateways that exist. They were built for the threat as it existed when they were designed. The threat evolved. A URL encoded in a QR code is fundamentally the same attack as a URL in an email body — it goes to the same place, does the same damage, harvests the same credentials. It just travels in a format the detection layer wasn't built to inspect.
Closing that gap requires layered thinking: image-aware analysis at the gateway for the URLs that can be decoded, behavioral reasoning about whether the email itself makes sense for the URLs that can't be caught at delivery time, a standing human policy about not entering credentials after a phone scan, and conditional access controls that limit what a stolen credential or session can actually do if it gets through anyway.
None of those layers works in isolation. Together, they build the kind of depth that makes a quishing campaign expensive enough to run that most attackers move to easier targets. That's the actual goal — not perfection, which doesn't exist, but making the attack costly enough that the math stops working for the attacker. The StrongestLayer email attack taxonomy tracks quishing at trajectory 1.5 and rising — which means the math is currently working very well for the attacker. The organizations changing that equation are the ones that stopped waiting for their text-parsing gateway to suddenly learn how to read images.
Quishing is a portmanteau of QR code and phishing. It describes any phishing attack where the malicious link is hidden inside a QR code image rather than placed as a plain-text URL in the email body. The end goal is identical to traditional phishing — steal credentials, capture a session token, redirect a payment — but the delivery format bypasses the text-parsing architecture that most email security gateways rely on to detect and block malicious links.
Most secure email gateways were built to inspect text. They parse message headers, extract URLs from the email body, and check those URLs against reputation databases. A malicious URL encoded inside the pixel matrix of a QR code image is not text — it's an image file. The gateway sees an image, passes it through, and never extracts the URL hidden inside. Cyble's Scanception research found that roughly 80% of QR-bearing phishing PDFs had zero VirusTotal detections at first scan. That number reflects the structural mismatch, not a configuration problem.
Bigger than most organizations realize. Microsoft detected a 146% surge in quishing attacks in Q1 2026, with a 336% spike in March alone as attackers moved QR codes from PDF attachments directly into email bodies. Over 4.2 million unique malicious QR codes were identified in the first half of 2025. QR codes now appear in roughly 12% of all phishing attacks tracked in early 2026 — up from negligible levels three years ago. Palo Alto Networks Unit 42 averaged more than 11,000 malicious QR detections per day during peak campaign periods.
It's actually simpler for the attacker, not more complicated. The QR code itself is trivial to generate. The advantage it delivers is structural — the malicious URL disappears into an image format that most email security tools weren't built to decode. One line of code generates a QR code from any URL. The payoff is bypassing a detection layer that would have flagged the same URL in plain text. For attackers running quishing-as-a-service kits, the added complexity is near-zero. The defensive gap it exploits is significant.
A dynamic QR code uses a redirect — the code resolves to a management URL that the attacker controls, and the final destination can be changed after the code is printed or sent. In a quishing attack, this means the attacker can point the QR code at a completely clean, benign website at the time the email is scanned by security tools. After delivery, they update the destination to the real phishing page. Any time-of-delivery URL checking passes a clean result. Any employee who scans hours later reaches the malicious page. This defeats even gateways that have added QR decoding, because the URL they decoded was legitimately clean when they checked it.
That's the structural advantage of quishing over link-based phishing, and it's deliberate. A corporate laptop click happens on a managed endpoint — one with endpoint detection, web proxy filtering, DNS controls, and DLP policies. A phone scan happens on a personal mobile device connected to cellular data, with none of those controls anywhere in the chain. The IT team can see every link clicked on a managed corporate laptop. They have zero visibility into what happens on a personal phone after an employee scans a QR code from their work inbox.
In January 2026, the FBI issued a flash alert documenting that North Korean-affiliated Kimsuky threat actors had incorporated QR codes into targeted spear-phishing emails aimed at U.S. government entities, academic institutions, and think tanks. The lures were research-related — tailored to the specific professional interests of each target. QR codes in those emails resolved to credential-harvesting pages running adversary-in-the-middle relays that captured both login credentials and live session tokens after MFA completed. The campaign is significant because it establishes that quishing is now a nation-state-level technique, not just a commodity attack run by low-sophistication affiliates.
Software-based MFA — push notifications, TOTP codes, SMS — does not protect against the most sophisticated quishing campaigns. When a quishing lure routes the victim through an adversary-in-the-middle proxy, the attacker captures the live session token after MFA has already been completed — meaning MFA succeeded, but the proof of that success was stolen. Phishing-resistant MFA — FIDO2 security keys or passkeys — does protect against this, because the cryptographic handshake is bound to the legitimate domain and cannot be completed by a proxy serving a different URL. For most quishing campaigns that don't use AiTM relays, standard MFA still provides meaningful protection against the stolen-credential outcome.
Enterprise telemetry shows a consistent pattern. 90% of QR code attacks are credential phishing. The most common lure categories are MFA activation or reset notices (27% of campaigns) — effective because they frame the QR scan as a required security action. Shared document notifications come second (21%) — exploiting the same living-off-trusted-sites logic that makes SharePoint and OneDrive lures so effective. Payroll updates, benefits enrollment, HR compliance notices, and IT security verification complete the list. The common thread is that every lure frames the QR scan as something the employee is expected to do as part of a normal work process.
C-suite executives receive 42 times more QR code phishing attempts than the average employee, according to enterprise telemetry. That ratio reflects the value of what a compromised executive account unlocks — financial systems, board communications, M&A data, the authority to initiate large transfers. Finance staff, accounts payable, and HR teams follow closely, because they handle high-value transactions and are accustomed to receiving external document requests that could plausibly arrive with a QR code. Mid-market companies are disproportionately represented in victim data because most run on Microsoft 365 with software-based MFA and lack image-aware email filtering.
TRACE doesn't rely on reading the QR URL. It evaluates whether the email itself makes sense — whether the sender relationship is real, whether the lure fits the established communication pattern between this sender and this recipient, whether the urgency framing is consistent with how this organization actually communicates. A payroll verification request with a QR code, arriving from a domain the organization has never corresponded with, sent to an accounts payable coordinator who has never received this type of request from this sender, is detectable before anyone needs to know what the QR code resolves to. How TRACE powers real-time email threat prevention covers the full intent-based reasoning architecture — but the core logic is simple: if the communication doesn't make sense for these two people in this context, it gets flagged regardless of what format the payload is hiding in.
A standing policy, stated plainly and enforced consistently: never scan a QR code from an email, a PDF attachment, or an unsolicited printed document and enter credentials as a result. Legitimate enterprise authentication flows — payroll updates, benefits enrollment, MFA resets, document verification — do not require scanning a QR code from an email on a personal phone. Full stop. That rule closes a significant portion of operational risk independent of any technical control, because it removes the human action that every quishing campaign is designed to trigger. Pair it with image-aware gateway analysis for the technical layer, and phishing-resistant MFA for the accounts that matter most.
Be the first to get exclusive offers and the latest news
Deploy in minutes, not months. Zero tuning. See what your current tools are missing.