In early October 2025, cybersecurity researchers identified a sophisticated phishing campaign, termed quishing, that leverages weaponized QR codes to compromise Microsoft users. This attack exploits the widespread trust in QR-based authentication and device pairing processes, deceiving individuals into scanning malicious codes that deploy information-stealing malware.
Discovery and Initial Reports
Analysts at Gen Threat Labs first detected this campaign upon observing unusual QR code attachments masquerading as legitimate Microsoft Office 365 notifications. These deceptive emails prompted recipients to scan embedded QR codes, which redirected them to compromised Azure Content Delivery Network (CDN) nodes. These nodes facilitated a multi-stage payload delivery process, ultimately leading to system compromise.
Attack Vectors and Tactics
The attackers employ various strategies to lure victims:
1. Phishing Emails Mimicking Microsoft Teams Alerts: Victims receive emails claiming to be urgent Microsoft Teams notifications, instructing them to scan a QR code to address a critical security issue.
2. Fake Microsoft Authenticator Enrollment Prompts: Another tactic involves emails that appear to be from Microsoft, urging users to scan a QR code to enhance login security through Microsoft Authenticator. Given the common practice of using QR codes for multi-factor authentication setup, these prompts appear credible.
These emails are meticulously crafted, featuring authentic Microsoft logos and well-formatted links, increasing their perceived legitimacy and the likelihood of user engagement.
Mechanism of Infection
Upon scanning the malicious QR code, the victim is directed to a shortened URL that leads to a redirector script. This script performs several checks on the victim’s environment, such as verifying the Windows locale, installed versions of Windows Defender, and detecting sandbox environments. If the system meets the attacker’s criteria, the script downloads a Packaged Infostealer (PI) executable.
The PI executable establishes persistence by creating a scheduled task named MSAuthSync, ensuring it runs at each user logon. It then extracts credentials and system telemetry, transmitting this sensitive information over HTTPS to servers controlled by the attackers.
Advanced Evasion Techniques
A notable aspect of this quishing attack is its sophisticated method of evading antivirus (AV) detection. Instead of embedding a standard QR code image, the attackers split the QR code into two overlapping images rendered through PDF content streams. Standard QR code decoders typically overlook non-standard color palettes and segmented images. However, the attackers’ custom parser recombines these image layers to reconstruct the functional QR code.
This technique allows the malicious QR code to bypass static AV signatures and evade simple visual inspections. The complexity of this method underscores the necessity for layered security analyses in contemporary phishing campaigns.
Broader Implications and Related Attacks
The emergence of quishing attacks highlights a broader trend of cybercriminals exploiting QR codes to bypass traditional security measures. For instance, the FBI has issued warnings about cybercriminals tampering with both digital and physical QR codes to redirect victims to malicious sites, thereby stealing login credentials and financial information. In some cases, attackers have replaced legitimate QR codes in public places with malicious ones, leading unsuspecting users to phishing sites or initiating malware downloads.
Another related attack, known as the PoisonSeed attack, involves adversaries tricking users into scanning malicious QR codes with their multi-factor authentication (MFA) applications. This method exploits cross-device sign-in features to bypass FIDO key protections, representing a significant escalation in identity-based attacks.
Recommendations for Mitigation
To protect against such sophisticated quishing attacks, users and organizations should adopt the following measures:
1. Verify QR Code Sources: Only scan QR codes from trusted and verified sources. Be cautious of unsolicited emails or messages containing QR codes, especially those prompting urgent actions.
2. Inspect URLs Carefully: After scanning a QR code, examine the URL before proceeding. Malicious links may closely resemble legitimate ones but often contain subtle misspellings or unusual characters.
3. Utilize Built-in QR Scanners: Avoid downloading third-party QR scanner apps, as they may introduce additional security risks. Most smartphones come equipped with built-in QR code scanning capabilities.
4. Educate and Train Employees: Conduct regular training sessions to raise awareness about the risks associated with QR codes and phishing attacks. Encourage employees to report suspicious emails or messages.
5. Implement Multi-Factor Authentication (MFA): While MFA adds an extra layer of security, ensure that the implementation is secure and that users are aware of potential phishing tactics that may attempt to exploit MFA processes.
6. Regularly Update Security Software: Keep all security software, including antivirus and anti-phishing tools, up to date to detect and mitigate the latest threats.
7. Monitor and Audit Systems: Regularly review authentication logs and system activities for any signs of unauthorized access or anomalies.
By adopting these proactive measures, individuals and organizations can enhance their defenses against the evolving threat landscape posed by quishing attacks and other QR code-based phishing schemes.
