In early October 2025, cybersecurity researchers identified a sophisticated phishing campaign, termed quishing, that exploits QR codes to compromise Microsoft users. This method leverages the widespread trust in QR-based authentication and device pairing processes, deceiving individuals into scanning malicious codes that deploy information-stealing malware.
Discovery and Initial Reports
Analysts at Gen Threat Labs first detected this campaign upon observing unusual QR code attachments masquerading as legitimate Microsoft Office 365 notifications. These deceptive emails prompted recipients to scan embedded QR codes, which redirected them to compromised Azure Content Delivery Network (CDN) nodes. These nodes facilitated a multi-stage payload delivery system designed to infiltrate user systems.
Attack Vectors and Deceptive Tactics
The attackers employed several deceptive strategies to enhance the credibility of their phishing attempts:
1. Impersonation of Microsoft Teams Alerts: Victims received emails claiming to be urgent Microsoft Teams notifications, instructing them to scan a QR code to address a critical security issue.
2. Fake Microsoft Authenticator Enrollment Prompts: Another tactic involved emails that appeared to be from Microsoft, urging users to scan a QR code to enroll in enhanced login protection via Microsoft Authenticator. Given the common organizational practice of encouraging QR-based multi-factor authentication (MFA) setups, these prompts appeared legitimate and trustworthy.
The use of authentic Microsoft logos and well-formatted links in these emails further increased their perceived legitimacy, thereby boosting the campaign’s success rate.
Mechanism of Infection
Upon scanning the malicious QR code, victims were directed to a shortened URL leading to a redirector script. This script conducted environmental checks, such as verifying the Windows locale, assessing installed versions of Windows Defender, and detecting sandbox environments. If the system was deemed vulnerable, the script proceeded to download a Packaged Infostealer (PI) executable.
The PI executable established persistence on the infected system by creating a scheduled task named MSAuthSync, ensuring its execution at each user logon. It then extracted credentials and system telemetry data, transmitting this information over HTTPS to servers controlled by the attackers.
Advanced Evasion Techniques
A notable aspect of this quishing attack is its sophisticated method of evading antivirus (AV) detection. Instead of embedding a single QR image, the attackers split the QR code into two overlapping images rendered through PDF content streams. Standard QR code decoders typically overlook nonstandard color palettes and segmented images. However, the attackers utilized a custom parser to recombine these image layers before decoding, effectively bypassing traditional AV signatures and simple visual inspections.
To illustrate how defenders might reconstruct and decode such split QR codes, consider the following Python snippet:
“`python
from PIL import Image
import zbarlight
# Load the two image layers
layer1 = Image.open(‘qr_part1.png’).convert(‘RGB’)
layer2 = Image.open(‘qr_part2.png’).convert(‘RGB’)
# Recombine by taking the brighter pixel from each
merged = Image.new(‘RGB’, layer1.size)
pixels1, pixels2 = layer1.load(), layer2.load()
for x in range(layer1.width):
for y in range(layer1.height):
pixels = pixels1[x, y] if sum(pixels1[x, y]) > sum(pixels2[x, y]) else pixels2[x, y]
merged.putpixel((x, y), pixels)
# Decode the merged QR code
codes = zbarlight.scan_codes(‘qrcode’, merged)
print(‘Decoded URL:’, codes[0].decode())
“`
This approach underscores the necessity for layered analysis in modern phishing campaigns, as weaponized QR images can evade both static AV signatures and straightforward visual inspections.
Broader Implications and Related Threats
The emergence of quishing attacks highlights a broader trend in cyber threats where attackers exploit the inherent trust and convenience associated with QR codes. Similar campaigns have been observed targeting various sectors:
– Energy Sector Targeting: A significant QR code phishing campaign was identified, focusing on stealing Microsoft credentials from employees in the energy industry. This campaign accounted for nearly 29% of over 1,000 malicious QR code emails observed, indicating a targeted approach towards critical infrastructure sectors.
– PoisonSeed Attack: Another sophisticated attack technique, known as the PoisonSeed attack, compromises Fast IDentity Online (FIDO) key authentication by exploiting cross-device sign-in features. Attackers trick users into scanning malicious QR codes with their multi-factor authentication (MFA) applications, effectively bypassing FIDO key protections.
– Evil QR Attack: The Evil QR attack involves attackers convincing users to scan malicious QR codes, leading to account takeovers. This method exploits the Login with QR code feature present in many applications, demonstrating the versatility and effectiveness of QR code-based attacks.
Mitigation Strategies
To defend against quishing and similar QR code-based attacks, organizations and individuals should adopt the following measures:
1. User Education and Awareness: Educate users about the risks associated with scanning unsolicited QR codes, especially those received via email or from untrusted sources.
2. Email Filtering and Security Measures: Implement advanced email filtering solutions capable of detecting and blocking emails containing suspicious QR codes or attachments.
3. Multi-Factor Authentication (MFA): While MFA enhances security, ensure that users are aware of potential phishing attempts that exploit MFA processes. Encourage the use of hardware tokens or app-based authenticators that do not rely on QR codes.
4. Regular Security Audits: Conduct regular security assessments to identify and mitigate vulnerabilities that could be exploited by such attacks.
5. Incident Response Planning: Develop and maintain an incident response plan to quickly address and contain any breaches resulting from phishing attacks.
Conclusion
The rise of quishing attacks underscores the evolving tactics of cybercriminals who continuously adapt to exploit new technologies and user behaviors. By understanding the mechanisms of these attacks and implementing comprehensive security measures, organizations can better protect themselves and their users from the growing threat posed by weaponized QR codes.
