Quishing Attacks Exploit QR Codes to Bypass Email Security and Steal Data
A new wave of 'quishing' attacks is leveraging QR codes embedded in emails to bypass traditional security filters, leading to credential theft and malware delivery.

Cybercriminals are increasingly turning to QR codes, a ubiquitous tool in daily life, as a novel attack vector known as "quishing." These attacks embed malicious URLs within QR code images, allowing them to bypass sophisticated email security systems that are not designed to inspect image content. The tactic exploits user trust and the inherent invisibility of the payload within the pixelated squares, making them a potent threat.
Between August and November 2025, detections of malicious QR code phishing emails surged dramatically, increasing fivefold from approximately 47,000 incidents to over 250,000 in just a few months. Projections indicate that over 4.2 million such threats were identified in the first half of 2025 alone, with Microsoft reporting over 15,000 daily quishing emails targeting the education sector. This rapid escalation highlights a significant gap in current security architectures.
The mechanics of a quishing attack are deceptively simple. A malicious URL is encoded into a QR code. When a user scans this code with their mobile device, their browser is directed to a fraudulent website. Unlike traditional phishing links in emails, which can be previewed by hovering, the QR code's destination is hidden until after the scan. This circumvents the ability to inspect links before clicking, a fundamental security precaution.
Traditional email security gateways are built to parse text, HTML, and embedded URLs. However, when a malicious payload is concealed within an image file, these systems often fail to detect it, classifying the message as benign. This architectural limitation means that quishing emails frequently reach user inboxes, leaving individuals vulnerable.
The consequences of this bypass are significant. Statistics reveal that a large percentage of users scan QR codes without verifying their destination, and a substantial portion of quishing incidents go unreported. The speed at which users fall victim is also alarming, with an average time-to-click on phishing payloads measured in mere seconds.
Attackers employ various methods to deliver these malicious QR codes. While email remains a primary channel, often embedding codes in the email body or PDF attachments, quishing also extends to physical mediums. Scammers have been observed placing fake QR code stickers over legitimate ones on parking meters, restaurant tables, and other public surfaces, leading to credential theft or malware downloads when scanned.
The impact of a successful quishing attack can range from the theft of sensitive credentials, such as Microsoft 365 logins or banking details, to the installation of malware. Attackers can then leverage compromised accounts for further malicious activities, including business email compromise (BEC) attacks, selling stolen session tokens, or deploying ransomware across a network.
As quishing attacks continue to evolve and scale, users are advised to exercise extreme caution when scanning QR codes, especially those received via email or found in unexpected physical locations. Verifying the legitimacy of the destination and looking for signs of tampering, such as stickers placed over original codes, are crucial steps in mitigating this growing threat.