Quishing: How QR Code Phishing Bypasses Email Security and How to Stop It
Quishing is phishing with the URL hidden inside a QR code image. Email security gateways that scan for malicious URLs in message text and hyperlinks cannot extract URLs from rendered image files. The malicious link is invisible to URL reputation engines, sandbox detonation systems that process text, and most link-rewriting filters. Only systems that optically decode QR images and then scan the embedded URL can catch it.
This architectural gap is why quishing volume surged 146% in Q1 2026. The attack is not technically sophisticated: attackers generate a QR code pointing to a credential phishing page, embed it in an email body or PDF attachment, and let the recipient's phone or desktop camera decode it outside the corporate mail flow entirely.
Why Quishing Bypasses Traditional Email Security
Understanding the detection gap requires understanding how legacy Secure Email Gateways (SEGs) process messages.
What legacy SEGs inspect:
- Message headers and envelope metadata (SPF, DKIM, DMARC)
- Message body text for URL strings, phone numbers, and suspicious phrases
- Hyperlinks embedded in HTML anchor tags
- Attachments submitted to sandbox detonation
What legacy SEGs do not inspect:
- URLs embedded inside image files (PNG, JPEG, GIF, BMP)
- QR codes in inline images or attached PDFs
- QR codes in Office document images
When a quishing email arrives, the SEG sees an email with an image attachment or inline image and no suspicious text or hyperlinks. The image passes through unmodified. The recipient opens the email, sees the QR code image, and scans it with their phone camera using the built-in camera app. The scan happens entirely outside the corporate network and email security stack, on a personal mobile device with no corporate URL filtering applied.
Why mobile scanning is the critical gap: Most corporate endpoint security covers Windows laptops and managed mobile devices via MDM. When an employee scans a QR code with their iPhone camera in the default camera app, the URL is opened in Safari without going through any corporate proxy, DNS filtering, or Secure Web Gateway. The attack deliberately routes the victim outside the corporate security perimeter.
Encoding variations that evade OCR-based detection: Some advanced quishing campaigns add noise, rotation, or color distortion to QR images to defeat OCR-based scanners that might attempt to extract text from images. Others use QR codes embedded within legitimate document templates (fake DocuSign notifications, fake Microsoft 365 voicemail alerts) to add visual legitimacy.
Common Quishing Lure Templates in 2026
Quishing campaigns cluster around a consistent set of lure themes because QR codes require an action (scanning) that users associate with specific contexts. The most prevalent templates as of Q1-Q2 2026:
Multi-factor authentication reset lures are the highest-volume category. The email claims the recipient must re-verify their MFA, reset their Authenticator app, or scan the QR code to maintain account access. Microsoft 365, Okta, and Duo branding are most common. The urgency of an account lockout drives high scan rates.
DocuSign and e-signature lures embed QR codes in fake signature request notifications. The recipient is told to scan the code to review and sign an important document. PDF attachments containing the QR code (rather than inline images) are common to bypass image attachment scanning policies.
HR and payroll lures claim the recipient must scan to access their W-2, update direct deposit information, or complete open enrollment. These have high scan rates because they impersonate internal HR systems.
Parking, package delivery, and physical space lures are increasingly targeting corporate campuses by placing physical QR code stickers on parking meters, door signage, or conference room booking tablets, then sending follow-up emails with matching branding.
Callback phishing (vishing + quishing) combines a phone call from a fake IT support representative with a follow-up email containing a QR code to 'install the remote support tool.' The phone call builds trust that the email is legitimate.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Email Security Vendors with QR Code Inspection
The vendor landscape for quishing detection has evolved rapidly since 2024. These are the capabilities to evaluate in your next renewal or RFP.
Microsoft Defender for Office 365 (Plan 2)
Microsoft added QR code URL extraction and Safe Links scanning for QR-embedded URLs in 2024. QR codes in email bodies and attachments are optically decoded, the embedded URL is extracted, and then processed through the same Safe Links URL detonation and reputation pipeline used for regular hyperlinks. Available in Defender for Office 365 Plan 2 (included in M365 E5 or as an add-on). Enable via the Anti-phishing policy QR code settings in the Microsoft 365 Defender portal.
Proofpoint Email Security
Proofpoint's Targeted Attack Protection includes QR code analysis that extracts and sandboxes URLs from QR images. Proofpoint also provides Business Email Compromise (BEC) classification that combines QR lure detection with sender analysis. Available in Proofpoint's advanced tiers. Check that QR code URL rewriting is enabled in your tenant, as it may not be on by default in legacy deployments.
Abnormal Security
Abnormal uses behavioral AI to detect quishing based on email context, sender anomalies, and QR code presence combined with behavioral signals, rather than relying solely on URL reputation after extraction. Effective at detecting first-time-seen quishing domains that have no reputation history. Integrates as an API-based add-on to existing Microsoft 365 or Google Workspace mail flows without requiring MX record changes.
Mimecast Email Security
Mimecast's URL Protect now includes QR code URL extraction and inspection as part of its attachment inspection pipeline. PDFs and images containing QR codes are decoded, the URL is extracted and checked against Mimecast's threat intelligence and sandboxing infrastructure. Available in Mimecast's advanced email security tiers.
Perception Point Advanced Email Security
Perception Point's HAP (Highly Advanced Protection) tier includes QR code image decoding and recursive URL inspection. Particularly effective at catching QR codes within PDF attachments (a common quishing delivery method) because the platform detonates the full PDF and inspects embedded images. Often deployed as a secondary scanner alongside existing SEGs.
Non-Email Quishing Vectors: Physical and Mobile
Focusing exclusively on email quishing misses a growing physical attack surface. Threat intelligence in 2025-2026 documents several non-email quishing vectors.
Physical QR stickers on corporate infrastructure: Attackers place stickers over legitimate QR codes on parking meters, restaurant menus near corporate offices, public EV charging stations, and conference room booking tablets. Employees scan a code they believe is legitimate; it routes to a credential phishing page styled to match the expected service.
Fake package delivery notifications: Physical mailers delivered to home addresses (targeting remote workers) contain QR codes claiming to require package pickup confirmation or address update. Employees working from home are outside corporate network controls when they scan.
Event badges and conference materials: QR codes printed on conference badges, lanyards, or promotional materials at industry events can be compromised. Attackers either reprint materials or place stickers at events targeting specific organizations.
Mitigations for physical quishing:
- User awareness training specifically covering physical QR code skepticism: 'Who placed this code here? Is this expected?'
- MDM-enforced DNS filtering on managed mobile devices that applies to the default browser
- Phishing-resistant MFA as the backstop: even if a user scans a malicious QR code and enters their password on a phishing page, phishing-resistant MFA prevents credential-only compromise
The Layered Defense Stack for Quishing
No single control stops quishing. The effective defense combines detection at the email layer, network-level URL inspection, and authentication controls that reduce the impact of successful credential theft.
Layer 1: Email Security with QR Image Inspection
Upgrade to an email security solution that optically decodes QR images and submits the extracted URL through the same URL reputation and sandboxing pipeline used for hyperlinks. Verify QR inspection is enabled (it is not always on by default). Test by sending a benign QR code email through your gateway and confirming the embedded URL is being resolved and checked.
Layer 2: Managed Device DNS/Web Filtering
Deploy DNS filtering (Cisco Umbrella, Cloudflare Gateway, or your SASE platform) on managed mobile devices via MDM. When a user scans a QR code on a managed phone, the resulting URL lookup goes through your DNS security layer even if they use the native camera app. This catches quishing domains that are flagged for malicious activity at the DNS level.
Layer 3: Conditional Access Requiring Managed Device
Configure Conditional Access to require Intune-compliant or Hybrid Azure AD-joined devices for all corporate application access. Even if a user scans a quishing QR code and enters their credentials, Conditional Access blocks the attacker's unmanaged device from accessing corporate resources. This is the single most effective compensating control for credential theft from quishing.
Layer 4: Phishing-Resistant MFA
FIDO2 hardware keys and passkeys are not vulnerable to QR phishing because they bind the authentication response to the legitimate domain. A user who scans a quishing QR code, lands on a fake Microsoft login page, and attempts to use their passkey or security key will find the authenticator refuses to respond: the domain does not match the registered origin. Phishing-resistant MFA makes stolen credentials from quishing attacks largely useless.
Layer 5: User Awareness Training Specific to QR Codes
Generic phishing awareness training often does not address QR codes specifically. Add quishing-specific content: when to distrust a QR code in email, the fact that phone cameras do not go through corporate URL filtering, and the habit of checking the URL preview before tapping when a camera app decodes a QR code. Run quishing simulation campaigns (KnowBe4, Proofpoint, Cofense all offer QR phishing templates) to establish a baseline and measure improvement.
The bottom line
Quishing is growing because it exploits a structural gap in how legacy email security was built: URL inspection assumes URLs are in text, not images. The practical response has two tracks. First, verify your email security gateway optically decodes QR codes and submits extracted URLs to the same inspection pipeline as hyperlinks: if it does not, evaluate vendors that do (Microsoft Defender for Office 365 Plan 2, Abnormal Security, Proofpoint TAP, Perception Point). Second, deploy phishing-resistant MFA and Conditional Access device compliance requirements so that stolen credentials from quishing attacks cannot be used from attacker infrastructure. Awareness training on QR codes is useful but should not be your primary control: a realistic quishing lure has high scan rates even among security-aware employees.
Frequently asked questions
What is quishing and how is it different from regular phishing?
Quishing (QR code phishing) hides the malicious URL inside a QR code image rather than as a text hyperlink. Regular phishing embeds URLs in email text or anchor tags that email security gateways can extract and check against URL reputation databases and sandboxes. Quishing bypasses this because most email security tools cannot extract URLs from image files. The recipient scans the QR code with their phone camera, which decodes the URL outside the corporate security stack, and then navigates to a credential phishing page on their phone where corporate DNS filtering and web proxies may not apply.
Can my existing secure email gateway detect QR code phishing?
Older and legacy SEG configurations typically cannot, because they scan for URLs in message text and hyperlinks but do not optically decode images. Modern platforms have added QR detection: Microsoft Defender for Office 365 (Plan 2), Proofpoint TAP, Abnormal Security, Mimecast, and Perception Point all offer QR code URL extraction and inspection as of 2025-2026. Check your specific configuration rather than assuming the capability is enabled: in many tenants it is available but not turned on. Test by sending a QR code containing a known-safe URL through your gateway and verifying the embedded link is logged and checked.
Why is scanning QR codes on a mobile phone riskier than clicking links on a laptop?
When you click a link on a managed corporate laptop, it typically goes through your corporate web proxy, DNS filter, or SASE platform before resolving. When you scan a QR code with your iPhone or Android camera app, the resulting URL is opened in the default mobile browser using whatever network you are on (cellular data, home WiFi, coffee shop WiFi) with no corporate filtering applied. Even on MDM-enrolled managed mobile devices, QR code URLs opened via the native camera app may bypass MDM-deployed browser controls depending on configuration. This is the deliberate design of quishing: it routes around corporate security controls.
What are the most common quishing lure themes I should include in security awareness training?
The highest-volume lure themes in Q1-Q2 2026 are: MFA reset or re-enrollment requests (fake Microsoft Authenticator, Okta, or Duo setup emails), DocuSign and e-signature requests with QR codes instead of links, HR/payroll notifications (W-2 access, open enrollment, direct deposit updates), and package delivery notifications. Physical quishing is also growing: parking meters, public charging stations, and conference materials near corporate offices. Train users to pause before scanning any QR code they did not explicitly request, check the URL preview in the camera app before tapping, and report QR code emails to the security team via the phishing report button.
Does phishing-resistant MFA protect against quishing?
Yes, as a backstop. FIDO2 hardware keys and passkeys cryptographically bind authentication to the legitimate website domain. If a user scans a quishing QR code, lands on a fake Microsoft login page at a malicious domain, and enters their credentials, the passkey or security key will refuse to authenticate because the domain does not match the registered origin. The attacker obtains a password but cannot use phishing-resistant MFA factors to complete authentication. This makes credential theft from quishing attacks largely unusable against accounts protected by phishing-resistant MFA, even if the user is deceived into submitting their password.
How do I run a quishing simulation to test my organization?
KnowBe4, Proofpoint Security Awareness (Wombat), and Cofense all include QR code phishing simulation templates in their platforms as of 2025-2026. Run a baseline quishing simulation before deploying new controls and training, measure the scan rate (how many employees scanned the QR code) and click rate (how many entered credentials on the landing page), then deploy quishing-specific training and run a follow-up simulation 90 days later. Report both metrics to leadership: scan rate measures awareness of the vector, credential submission rate measures the actual risk. Include a specific quishing module in your annual phishing simulation calendar rather than treating it as a one-time test.
Are QR codes in PDF attachments more dangerous than QR codes in email images?
Yes, in terms of detection bypass rate. Many email security systems scan inline images but apply different processing to PDF attachments, particularly if they do not fully detonate the PDF in a sandbox. A QR code inside a PDF triggers a different analysis pipeline than an inline image QR code. Perception Point and some other vendors specifically sandbox full PDF content including embedded images. If your email security solution does not sandbox PDFs and extract embedded QR codes, PDFs containing QR codes are a significant blind spot. Require your vendor to demonstrate QR-in-PDF detection specifically when evaluating or testing your current solution.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.