How to Detect and Stop QR Code Phishing Before It Becomes Account Takeover
QR code phishing hides malicious links inside images and attachments. Learn the detection signals, investigation steps, and controls that help stop quishing before credentials are stolen.
Why QR Phishing Needs a Different Detection Model
Traditional phishing detection often starts with visible signals, like a suspicious URL, a known malicious domain, an attachment hash, or message text that matches previous campaigns.
QR phishing or quishing usually breaks that pattern.
The URL is hidden inside an image. The user interaction happens on a mobile device. The phishing page may sit behind redirects, CAPTCHA, device fingerprinting, or adversary-in-the-middle infrastructure. In many cases, the email itself contains very little text, which reduces the number of signals available for content-based detection.
Microsoft has described several common QR phishing patterns, including minimal message text, URL redirection, trusted brand abuse, MFA and document-signing lures, and QR codes embedded in attachments.
The UK National Cyber Security Centre also notes that attackers use QR codes because people are already cautious with suspicious links, but less cautious with QR codes. Not all phishing tools scan images, so a malicious QR code can pass through controls that only inspect written URLs.
So we should treat it as a cross-channel attack that starts in email, moves to mobile, and often ends in identity compromise.
Detect the QR Code Itself
The first control is simple in concept but difficult at scale detect whether the message contains a QR code.
Security tools should inspect:
- Images embedded in the email body
- PDF attachments
- Word or PowerPoint documents
- Screenshots or image-only attachments
- HTML content that loads QR images remotely
- Brand templates that include “scan to verify” instructions
A QR code alone should not automatically block a message. Many legitimate workflows use QR codes for onboarding, event access, device pairing, authentication setup, and payments.
But the presence of a QR code should trigger deeper analysis and suspicion when the message is unexpected, security-themed, credential-themed, or sent from a sender with no established relationship to the recipient.
Microsoft notes that attackers exploit familiar brands and the same email channels used by trusted, legitimate senders. Defenders therefore need layered analysis rather than a simple “QR code equals malicious” rule.
Extract and Analyze the Encoded URL
Once a QR code is detected, the next step is to decode it safely.
The extracted payload should be analyzed before the user interacts with it. That analysis should include:
- The decoded URL
- The registered domain
- Domain age and reputation
- URL length and obfuscation
- Use of URL shorteners
- Redirect chains
- Hosting provider and ASN
- TLS certificate details
- Brand impersonation indicators
- Whether the final page requests credentials
- Whether the page is hidden behind CAPTCHA or bot checks
This kind of analysis is important because the visible email may contain no malicious text at all. The real evidence is inside the QR code and behind the all those redirects.
Microsoft has stated that Defender for Office 365 improved QR phishing protection by extracting URLs from QR codes, extracting QR metadata, applying advanced image processing, and correlating QR-related threats across email, endpoint, and identity data.
A mature detection process should do the same conceptually: decode the QR code, inspect the destination, and connect the email event to what happens after delivery.
Look for Brand and Domain Mismatches
Most QR phishing messages rely on trusted brands.
The email may claim to be about Microsoft 365, SharePoint, DocuSign, Adobe, voicemail, HR, payroll, or MFA verification. But the decoded QR destination often points somewhere else.
Useful mismatch checks include:
- The email mentions Microsoft, but the QR destination is not a Microsoft-controlled domain.
- The sender domain does not match the brand used in the email.
- The QR code points to a newly registered domain.
- The URL uses a subdomain that places the brand name before an unrelated registered domain.
- The final landing page imitates a login portal but is hosted on unfamiliar infrastructure.
For example:
Claimed brand: Microsoft 365
Decoded QR URL: https://microsoft.verify-session.example-login[.]com
Real registered domain: example-login[.]com
The word “microsoft” in the subdomain does not make the URL legitimate. Defenders should parse the registered domain, not just look for brand keywords.
Detect the Lure, Not Just the Link
A QR phishing message often contains very little text, but the text it does contain usually reveals intent.
Common lures include:
- “Scan to review secure document”
- “Scan to listen to voicemail”
- “Scan to complete MFA verification”
- “Scan to avoid password expiration”
- “Scan to access encrypted message”
- “Scan to sign pending document”
- “Scan to view payroll update”
These are not random themes. They create urgency, explain why the user needs to use a phone, and make the QR code feel like part of a legitimate security or productivity workflow.
Microsoft documented a QR phishing campaign in which PDF attachments sent to more than 2,300 organizations directed victims to RaccoonO365 pages designed to imitate Microsoft 365 sign-ins and steal credentials. That makes these lures especially important for detection.
A good rule of thumb:
When a QR code is paired with account access, MFA, password expiration, document access, payroll, or voicemail language, treat it as higher risk until proven otherwise.
Correlate With Sender and Relationship History
The sender is often the strongest signal.
A QR phishing email may come from a free email account, a compromised mailbox, a lookalike domain, or an external sender pretending to be an internal service. In other cases, the message may come from an account that has never communicated with the recipient before.
Detection should evaluate:
- Has this sender contacted this recipient before?
- Does this sender normally send QR codes?
- Is the sender using a new domain or new sending infrastructure?
- Is the display name impersonating an internal team or trusted brand?
- Does the sender’s domain match any link or QR destination domain?
- Did similar messages arrive across many users at the same time?
- Is the email targeting executives, finance, HR, IT, or shared mailboxes?
Microsoft identifies abuse of trusted brands and legitimate email channels as key QR phishing patterns. That makes sender authenticity and deviations from normal communication important detection signals.
This is where behavioral detection becomes valuable. A message does not need a known-bad domain to be suspicious if the sender, recipient, timing, content, and QR destination do not match normal communication.
Watch for CAPTCHA and Redirect Evasion
Many QR phishing attacks do not send the user directly to a credential page.
They send the user through a redirect chain first.
The redirect chain may pass through CAPTCHA pages or legitimate redirect services and adapt its behavior based on the user’s browser, IP address, location, or device.
Microsoft reported that threat actors use CAPTCHA pages to delay detection, create the appearance of a legitimate security check, and reduce the likelihood that automated scanners will reach the final malicious content.
For defenders, this means first-hop URL scanning is not enough.
The analysis should follow the chain safely and record:
- First decoded QR URL
- Intermediate redirect domains
- CAPTCHA or anti-bot pages
- Final landing page
- Page title and visible brand
- Credential fields requested
- Whether the destination changes across devices or locations
A Practical Detection Logic
A useful QR phishing detection does not depend on one indicator.
It combines weak signals until the pattern becomes strong.
A message should be treated as high risk when several of these conditions appear together:
- QR code present
- security/account/document lure
- sender has no prior relationship with recipient
- decoded domain does not match claimed brand
- URL redirects through multiple hosts
- CAPTCHA or anti-bot page appears
- final page requests credentials
- recipient signs in from unusual device/location soon after delivery
Each signal alone may be explainable, but together start to look like a common QR phishing chain.
What Employees Should Be Taught
User education should be specific. Telling people “be careful with QR codes” is too vague. They need rules that match their real day-to-day workflows.
Teach them to avoid scanning QR codes from unexpected emails or text messages, especially when the message creates urgency. The FTC gives similar advice: inspect the URL before opening it, look for misspellings or switched letters, and avoid scanning unexpected QR codes in emails or texts that pressure immediate action.
A practical user checklist:
- Was I expecting this QR code?
- Does this process normally require scanning a QR code?
- Does the previewed URL match the real company domain?
- Is the message asking for credentials, MFA, payment, or sensitive data?
- Can I access the same page by going directly to the official website or app?
For internal workflows or processes, organizations should also make expectations clear. For example:
- We do not send Microsoft 365 password reset requests by QR code, report it if you receive one.
- We do not ask anyone to scan QR codes to access payroll documents.
- We do not require QR scanning to review internal SharePoint files.
When the normal process is clear, anomalies become easier to spot and report!
Recommended response steps
- Reset the user’s password.
- Revoke active sessions and refresh tokens.
- Review recent sign-ins and MFA events.
- Check for new inbox rules, forwarding, delegation, and mailbox permissions.
- Review OAuth app consents and recently granted permissions.
- Search for unusual sent emails.
- Check SharePoint, OneDrive, and Teams access after the suspected compromise.
- Search for other recipients of the same QR phishing email.
- Remove the message from all affected mailboxes.
- Block the decoded domain, redirect domains, and related infrastructure.
A QR phishing email can become account takeover quickly. Removing the message after credentials are stolen is not strong enough response.
Conclusion
QR phishing succeeds precisely because it targets the gaps in traditional detection: no suspicious link in the text, no attachment hash to flag, no message body dense enough for content filters to catch. The malicious payload sits inside an image, and the actual attack unfolds on a device and network that email security tools usually can't see.
That's why defending against it requires a multiple step approach rather than a single rule. No individual signal, a QR code, an unfamiliar sender, a security-themed lure, is enough on its own to prove malicious intent, since each has legitimate uses too. The strength of detection comes from correlation: decoding the QR destination, checking it against the claimed brand, evaluating sender relationship history, following redirect chains through CAPTCHA walls, and watching what happens after delivery.
Just as important is closing the loop with people. Security teams can decode URLs and analyze redirect chains, but employees are the ones holding the phone when the QR code gets scanned. Clear, specific guidance, knowing which processes legitimately use QR codes and which never should, gives people a fast way to spot what doesn't belong, and reduces the chance that a single scan turns into a full account compromise.
Ultimately, Quishing is a reminder that attackers will keep targeting whichever channel has the weakest visibility. The ones that adapt fastest will be the ones that stop treating quishing as a novel and rare attack and start treating it as a standard, expected vector, worth the same scrutiny as any other credential-theft campaign.





