Between September 2025 and January 2026, StrongestLayer's threat research team analyzed approximately 200 malicious QR code instances—98 phishing emails containing 106 QR codes, traced through their redirect chains to terminal destinations—that successfully bypassed deployed enterprise email security gateways including Microsoft Defender for Office 365, Google Workspace native controls, Proofpoint, and Mimecast. These attacks represent the most sophisticated and evasive examples of the QR phishing threat: they defeated detection capabilities specifically designed to stop them.This report examines not whether QR code phishing exists—every security team knows it does—but why it succeeds despite unprecedented industry investment in countermeasures. The answer lies not indetection accuracy, vendor competence, or analyst vigilance. It lies in architecture.