Case 03 — Quishing / QR Code Phishing
Sources: Cisco Talos (2023-10 onward), Sophos X-Ops 2024 quarterly reports, Abnormal Security Q4 2024, Microsoft Defender for Office 365 2025-Q1.
Background
Quishing (QR plus phishing) became one of the dominant ways to bypass traditional email defense from late 2023 through 2025. The technique works because:
- Traditional email gateways scan URLs but do not decode QR codes embedded in images or PDFs
- Mobile phones sit outside enterprise EDR coverage, with weaker browser protections
- After the user types credentials on the phone, the resulting cookie also works on the desktop (especially when paired with AiTM phishing)
Common lures: "Your Microsoft 365 password expires today, scan to reset", "Voicemail attached: scan to listen", "HR: Updated employee handbook, scan to acknowledge", "DHL/UPS: Package delivery requires confirmation".
Email indicators
- Lookalike sender domain or compromised legitimate third party
- Body text is minimal — mostly an image; if any text exists, it stresses "must use mobile"
- Attachment is PNG, JPG, or PDF with embedded QR; advanced variants use SVG containing base64 PNG
- The HTML has no external links, only image src — so traditional
link_scanfinds nothing - Subject themes: MFA expires, voicemail, HR acknowledgement, DocuSign, DHL delivery
Animated walkthrough
QR code phishing bypasses link scanning
- 1AttackerGenerate QR code and embed it as inline image
- 2AttackerEmail body: HR compliance plus mobile-only narrative
- 3VictimScan QR code with mobile phone
- 4AttackerRedirect to AiTM reverse proxy
- 5VictimEnter credentials on the proxy login page
- 6AttackerSteal the session cookie
- 7VigilyxVigilyx decodes the QR and restores the full chainVigilyx detectsattach_qr_scan decodes the QR in PNG/JPG/PDF, the URL goes through link detection, landing_page_scan identifies AiTM fingerprints, content_scan matches mobile-only narrative; verdict High
Vigilyx detection coverage
Vigilyx treats QR-decoding as a first-class attachment-analysis primitive — the long-standing blind spot of "QR codes inside images" is closed:
- Attachment QR decoding —
attach_qr_scandecodes QR codes embedded in PNG, JPG, and PDF attachments; the extracted URL goes through the standard link pipeline (crates/vigilyx-engine/src/modules/attach_qr_scan.rs) - Decoded-link reputation — the recovered domain is checked against the local IOC store and OTX/AbuseIPDB via
intel(crates/vigilyx-engine/src/intel.rs) - AiTM landing-page fingerprints — if the QR ultimately leads to Tycoon 2FA / EvilProxy,
landing_page_scanrecognizes AiTM reverse-proxy traits (crates/vigilyx-engine/src/modules/landing_page_scan.rs) - Mobile-only narrative —
content_scanmatches "scan with mobile", "mobile-only", "QR code" combined with urgency (crates/vigilyx-engine/src/modules/content_scan/detectors.rs) - Image-heavy body detection —
html_scanflags emails whose stripped-text body is suspiciously short while containing large images (crates/vigilyx-engine/src/modules/html_scan.rs) - Single-page QR-only PDFs —
attach_contentescalates PDFs that have one page and decode to a QR-only payload (crates/vigilyx-engine/src/modules/attach_content.rs)
Traditional gateways inspect only <a href> and remain blind to QR codes in images and PDFs. By treating QR decoding as a first-class attachment primitive, Vigilyx eliminates the entire "image bypass" class of attacks.
Defense
- Enable QR decoding for both attachments and inline images
- Treat any email with near-empty body plus image attachment plus "scan / mobile" keywords as Medium baseline
- A single-page PDF that contains only a QR code plus one line of text should be raised to High
End-user training
- Email asking you to use your phone to complete a desktop task is almost certainly an attack
- "Mobile-only for security reasons" is a hallmark phrase of QR phishing
- After scanning, inspect the mobile browser address bar carefully —
login.microsoftonline.comversuslogin-microsoft-secure.workers.dev