defensiva
quishing
QR phishing
QR code

Quishing: What QR Code Phishing Is and How to Stop It

What quishing (QR code phishing) is: how the attack works, why email gateways miss it and how to defend with phishing-resistant MFA and training.

SecraJuly 6, 202611 min read

Quishing is phishing that uses a QR code as the lure instead of a visible link. The name blends QR and phishing, and it describes a simple but highly effective technique: the attacker swaps the classic URL for an image that the target scans with a phone, unable to read where it points before opening it. That jump from the inbox or a piece of paper to a personal handset is exactly what breaks almost every defence an organisation has built around email.

The essentials

  • Quishing is QR code phishing: the malicious link travels inside an image that the user scans with a mobile device.
  • The vector works because a QR code is an image, not a link, and many legacy email filters never decode its contents.
  • By scanning on a personal phone, the victim leaves the corporate perimeter (EDR, web proxy, DNS filtering) and browses from an uncontrolled device and network.
  • The most common lures in 2026 are parking meters and restaurants with overlaid stickers, PDF invoices carrying a QR, and fake consent or device code flows in Microsoft 365.
  • Robust defence combines phishing-resistant MFA (FIDO2/WebAuthn), email gateways that decode QR codes, mobile MDM, training and controlled quishing simulation.

What quishing is

Quishing (a contraction of QR and phishing) is a social engineering variant in which the attacker delivers the fraudulent URL encoded in a QR (Quick Response) code rather than in a hyperlink. The goal is the same as in any phishing attack: steal credentials, capture an authenticated session, drop malware on the device or force an action the victim would not take otherwise. What changes is the wrapper. A QR code is a matrix of dots that encodes text, almost always a web address, and a human cannot read it without a camera. That opacity is the attacker's advantage.

Quishing appears as the twelfth variant in our guide to the types of phishing, but it deserves its own treatment because it combines two weaknesses no other technique brings together at once: it evades email controls and it moves the victim onto a personal device that sits outside the security team's reach.

How a quishing attack works

The chain behind a quishing attack is short, which is why it pays off. The attacker generates a QR code that points to a capture page (often an Adversary-in-the-Middle proxy such as evilginx2, EvilProxy or Tycoon 2FA), embeds it in a credible carrier and waits for the victim to scan. Four vectors dominate in practice.

Physical QR over a legitimate carrier

The street classic. The attacker prints stickers with their QR and lays them over legitimate codes on parking meters, restaurant menus, EV charging posters or point-of-sale terminals. The user thinks they are paying for parking or opening a menu and lands on a fake payment page that captures card details and credentials. It is cheap, in person and leaves no trace in any corporate log.

QR embedded in email

The attacker sends a message with the QR embedded as an image (PNG or JPG) and an urgency pretext: "revalidate your mailbox", "sign this document", "your MFA expires today". Because the link travels inside a pixel, traditional engines that rewrite and score URLs have no text to analyse. The recipient also tends to scan with a personal phone, so the browsing that follows happens outside the company web proxy and DNS filtering.

PDF invoices and documents with a QR

A variant heavily used against finance teams. A supposed invoice, payslip or government notice arrives as a PDF with a QR to "verify the payment" or "download the receipt". The attachment clears the sandbox because the PDF itself executes nothing: the malicious payload is one scan away, on a domain that will resolve from the phone.

The most sophisticated vector of 2025-2026. The QR does not point to a suspicious domain but to a legitimate Microsoft URL: the OAuth consent page or the device code flow (microsoft.com/devicelogin). The user scans, enters the code the attacker shows them and authenticates against the real tenant. Microsoft issues the tokens and the attacker, who started the flow, keeps a valid session. The Storm-2372 campaign documented by Microsoft in 2025 exploited exactly this device code phishing. Because the destination is a genuine Microsoft domain, SPF, DKIM, DMARC and URL reputation all come back green.

Quishing versus phishing, smishing and vishing

All four variants share a social engineering root but are defended differently. This table sums up the operational differences.

VariantChannelLureWhat it exploitsKey defence
PhishingEmailLink or attachmentFilters that miss some mailEmail security + FIDO2 MFA
SmishingSMS / messaging appsLink in textLittle preview on mobileCarrier filtering + training
VishingVoice callLive persuasionWeak help desk verificationCallback and out-of-band checks
QuishingQR (email, paper, PDF)Image with a hidden URLThe filter cannot read the imageQR-decoding gateway + MDM + FIDO2

The key takeaway is that quishing inherits the goal of phishing (session and credential theft) but shares with vishing the fact that it operates on a channel where traditional technical controls have little visibility.

Why email gateways miss it

A classic secure email gateway inspects three things: the header (SPF, DKIM, DMARC), the text and links (URL rewriting and reputation) and the attachments (sandbox). Quishing dodges all three. The URL is not in the body as text but inside an image, so there is no link to score or rewrite. The attachment, when present, is an inert PDF that never trips the sandbox. And if the QR resolves to a legitimate domain, as in device code phishing, reputation would not help either.

The market response has been to add image decoding to the filter. Microsoft Defender for Office 365 introduced QR detection in 2024, and Proofpoint, Abnormal and Mimecast followed with OCR and QR extraction ahead of scoring the contained URL. It is a necessary improvement but not a complete one: attackers already rotate freshly registered domains, fragment the QR or nest it inside a PDF within another attachment to frustrate automatic extraction.

Real vectors 2023-2026

Quishing stopped being anecdotal in 2023, when several vendors reported mass campaigns against Microsoft 365 using QR codes in "security update" emails. Through 2024 the use of physical stickers on parking meters across European and North American cities took hold, with victims entering card data into cloned gateways. In 2025, QR-based device code phishing moved to the front line after Storm-2372 activity against government and corporate targets. The underlying pattern repeats: every time a defence matures around the text link, the QR offers a path that defence does not yet cover.

How to protect against quishing

Effective defence assumes that some malicious QR will arrive and that some user will scan it. The goal is not only to block the image, but to make sure a scan does not translate into compromise.

Technical defence

  • Phishing-resistant MFA (FIDO2/WebAuthn, passkeys, hardware keys). The highest-impact measure. Even if the user scans and types the password into the fake page, the WebAuthn signature is bound to the real domain and the AitM proxy cannot reuse it. SMS, TOTP and push notification do not close this vector.
  • Conditional access and device compliance. Requiring a managed, compliant device to authenticate cuts device code phishing, because the attacker's phone does not meet the policy.
  • Email gateway with QR decoding. Defender for O365, Proofpoint, Abnormal or Mimecast with QR extraction and reputation scoring of the contained URL.
  • MDM and mobile protection. The phone that scans should run MDM and a URL reputation engine (Microsoft Defender for Endpoint on mobile, Jamf, Lookout) that blocks the destination before it loads.
  • Scanners that preview the URL. Camera apps that display the full domain before opening, so the person can verify where they are going.

Organisational defence and training

Any serious awareness programme must include the QR as its own category, not as a footnote. The teachable rule is simple: a QR deserves the same distrust as a link, and a physical QR requires checking that there is no sticker laid over it. Our guide on how to avoid phishing develops the training and response framework that applies to quishing too.

Controlled quishing simulation in Red Team

The way to measure real exposure is to simulate it. In a Red Team exercise you generate a lab QR (for example with qrencode -o lure.png "https://internal-portal.lab/login"), distribute it by email or on a physical carrier and measure with a platform like GoPhish who scans, who types credentials and who reports. With FIDO2 MFA in place, the exercise shows that a scan alone is not enough to compromise the account. Every simulation requires formal management authorisation, an educational message for anyone who falls for it and no individual sanction, exactly as with any simulated phishing campaign.

Compliance fit

Defence against quishing fits the same frameworks as the rest of phishing: NIS2 (article 21, awareness and training, including for the management body), DORA (article 11, periodic programmes), ISO 27001:2022 (controls 5.1, 6.3 and 7.3) and national schemes. Phishing-resistant authentication also connects with NIST SP 800-63B, which places FIDO2/WebAuthn at the highest assurance level against channel impersonation.

Frequently asked questions

What is quishing?

Quishing is phishing that uses a QR code instead of a visible link. The attacker encodes a malicious URL in an image the victim scans with a phone, unable to read the destination in advance. The aim is the usual one in phishing: steal credentials, capture an authenticated session or install malware.

How does quishing differ from traditional phishing?

In the wrapper and the device. Classic phishing delivers a text link that filters can analyse; quishing hides it inside an image many filters do not decode. The user also tends to scan with a personal phone, leaving the corporate web proxy, EDR and DNS filtering behind.

Why do email filters miss quishing?

Because they inspect text, links and attachments, and a QR is an image with no link to analyse. If the QR also points to a legitimate domain, as in Microsoft 365 device code phishing, URL reputation does not flag it either. Modern gateways add QR decoding, but it does not cover every case.

How does a company defend against quishing?

With phishing-resistant MFA (FIDO2/WebAuthn) as the main layer, conditional access with a managed device, an email gateway that decodes QR codes, MDM with URL reputation on mobile, and training that treats the QR as its own category. Controlled simulation measures real exposure.

Can quishing be simulated legally?

Yes, with the same safeguards as any simulated phishing: formal management authorisation, prior notice to staff that the programme exists, an educational message for anyone who scans, and confidentiality of individual results, with no penalty for falling for it.

Quishing defence at Secra

At Secra we handle quishing within the phishing-resilience programme: authentication review (moving privileged accounts to FIDO2/WebAuthn), email gateway configuration with QR decoding, conditional access hardening to close device code phishing, and Red Team exercises with a controlled quishing vector to empirically measure detection, reporting and response. If your organisation has never tested its exposure to a malicious QR or still relies on SMS or TOTP MFA for critical accounts, get in touch via contact and we will plan an assessment tailored to you.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article