Alarming Surge in QR Code Phishing: Email Security Fails to Protect Users

Rise of QR Code Phishing

In a striking new report by StrongestLayer, the alarming rise of QR code phishing, also known as "quishing," has been brought to light. Over a short period, successful incidents of this tactic surged fivefold, even as major companies made substantial investments in detecting such threats. The report, titled From Nation-States to Amateur Hackers: Why QR Code Phishing Evades Email Security, analyses around 200 advanced QR code phishing attacks that managed to sidestep leading security measures, including Microsoft Defender E3/E5.

The Growing Threat

According to Kaspersky Labs, from August to November 2025, successful QR code phishing incidents mushroomed from 46,000 to 250,000. This sharp increase poses serious questions regarding the efficiency of current email security infrastructures. Despite significant investments in QR code scanning capabilities by vendors, it appears that attackers have identified and exploited vulnerabilities that traditional systems fail to address.

Alan LeFort, CEO and co-founder of StrongestLayer, commented, "The industry spent billions to scan QR codes—and attackers still won. This isn't a tuning problem. It's an architectural one." The report highlights that the malicious attacks often utilize a strategy that bypasses corporate security entirely by executing on users' personal devices where corporate controls do not reach.

Analyzing the Attacks

The report's key findings indicate that all analysed attacks exploited the mobile scanning gap, leading to credential theft outside corporate security protocols. With 68% of these attacks using trusted infrastructure such as AWS or Google Cloud in their execution chains, they effectively mask their malicious intent, making detection even more challenging.

Furthermore, quishing campaigns typically show low similarity rates between incidents, averaging only 0.209, well below the threshold necessary for effective pattern-based detection. The attackers adopt multi-stage redirect chains, complicating how secure email gateways can identify the final malicious destination. The rapid turnover rate of domains used in attacks also implies that by the time one is blacklisted, others are already in play, preventing consistent mitigation efforts.

The Failure of Detection Architectures

The traditional detection architectures are repeatedly found lacking as they do not account for the unique tactics employed by QR phishing campaigns. The malicious QR code can deliver phishing pages through mobile devices, effectively evading corporate systems responsible for email security. Major vendors recognize this limitation, similarly acknowledging that a significant gap exists in managing this emerging threat.

Emerging techniques further complicate detection efforts, with attackers utilizing ASCII text-based QR codes rendered as text characters that can bypass image analysis altogether. Additionally, they leverage security language, imitating OAuth and MFA terminology to further reduce user suspicion and increase chances of success.

A Call to Action

In light of these findings, StrongestLayer stresses the importance of evolving security measures that incorporate an understanding of modern threats. As tools that enable OAuth device-flow abuse become widespread, they will create new challenges that traditional URL analysis cannot detect, requiring a re-evaluation of cybersecurity protocols today.

For organizations aiming to protect against these increasingly sophisticated attacks, a robust and adaptive approach to email and device security will be crucial. The implications of failing to address these vulnerabilities could be catastrophic as attackers continue to adapt at a rapid pace.

As StrongestLayer continues to shed light on these concerning trends in cybersecurity, organizations must remain vigilant and consider evolving their strategies to safeguard against potential QR code phishing dangers.