There is a reasonable chance that somewhere in your organization, an employee scanned a QR code today. Maybe it was in an email from what appeared to be your IT department, asking them to re-enroll in multi-factor authentication. Maybe it was attached to a vendor invoice, or embedded in a PDF that arrived in the accounting team's inbox. In most cases, QR codes are exactly what they appear to be: a convenient shortcut to a website. But in a growing number of cases, they are something else entirely — the most effective phishing vehicle cybercriminals have developed in the past decade.

This technique has a name: quishing, a portmanteau of QR code and phishing. And while it may sound like a novelty, the numbers tell a different story. According to research from Keepnet Labs, QR-based phishing accounted for 12% of all phishing attacks globally in 2025, up from less than 1% in 2021. According to Abnormal Security, QR code attacks increased 400% between 2023 and 2025. Microsoft reported blocking approximately 1.5 million quishing attempts per day in 2024. These are not the statistics of an emerging threat quietly gaining ground in the background. This is one of the fastest-growing attack vectors in enterprise security, and most organizations are not adequately prepared for it.

Why QR Codes Are a Phisher's Perfect Weapon

To understand why quishing is so effective, you need to understand the structural gap it exploits. Traditional email security gateways — Secure Email Gateways, or SEGs — were designed around one fundamental assumption: that threats arrive as text. Malicious URLs embedded in message bodies, suspicious domain names, keyword patterns associated with social engineering. Decades of investment and refinement have made these tools genuinely effective at detecting text-based threats. But a QR code is not text. It is an image. And most email security tools that have been deployed in organizations today treat it as such — a harmless visual element, not a threat vector to be decoded and inspected.

This creates a blind spot with immediatepractical consequences. When an employee receives a phishing email containing asuspicious link, a well-configured email gateway may flag or block it before itreaches the inbox. When the same malicious URL is encoded inside a QR codeimage, that same gateway sees a picture and passes it through without analysis.The attacker has effectively turned your organization's email securityinvestment into a filter that protects against yesterday's attacks whileleaving tomorrow's untouched.

The problem compounds when the employee scansthe code. At that point, the attack moves from their corporate laptop — whichmay have endpoint protection, web filtering, and managed device controls — totheir personal smartphone, which almost certainly does not. According to Unit42 researchers at Palo Alto Networks, this shift to unmanaged personal devicesis a deliberate design choice in modern quishing campaigns: attackers know thatmobile devices represent the weakest link in the corporate security perimeter,and they engineer their attacks to exploit exactly that gap.

How Attackers Are Making Quishing Harder to Detect

Early quishing attacks were relatively straightforward: a standard black-and-white QR code embedded in an email, leading to a credential-harvesting page. Security researchers quickly began developing image-based detection tools to identify and flag these patterns. Attackers, as they always do, adapted.

The quishing landscape of 2026 looks meaningfully different from what it did eighteen months ago. Researchers at KnowBe4 have documented the rise of stylized QR codes that incorporate brand logos, custom color schemes, and altered module shapes. These modifications preserve the code's scannability while systematically disrupting the pixel-pattern assumptions that detection tools rely on. Barracuda's research has identified campaigns that construct QR codes from ASCII or Unicode text characters rather than image files, so the payload technically arrives as text — bypassing image scanners entirely. Split and nested QR codes, where the malicious URL is distributed across multiple visual elements that only resolve when combined, represent another evolution that legacy tools cannot analyze.

Attackers are also using QR code URL shorteners to add an additional layer of obfuscation. Unit 42 researchers found a steady, multi-year increase in this tactic: QR code shortener traffic grew 55% from the first half of 2023 to the first half of 2024, and another 44% in the following year. The shortener allows an attacker to register a benign-looking intermediate URL that passes reputation checks, then redirect victims to a malicious destination that has never been seen before by any threat intelligence feed. Even security-conscious users who check the URL preview before scanning cannot determine the final destination when presented with a shortened link.

Perhaps most concerning is the documented involvement of nation-state actors. Researchers have linked the North Korean Kimsuky group to quishing campaigns targeting government officials and defense contractors with fake Microsoft 365 and VPN login pages. Russian-affiliated actors have used QR code phishing to target members of parliament and their staff. Google's Threat Intelligence Group has documented Russian campaigns using malicious QR codes to compromise Signal Messenger accounts, exploiting the app's device-linking feature to gain persistent access to secure communications. These are not opportunistic criminals testing a new technique; these are sophisticated threat actors who have concluded that quishing is effective enough to incorporate into high-value, targeted operations.

What Attackers Are Actually After

Understanding the objective of quishing attacks matters because it shapes the appropriate defense. According to research from Abnormal Security, 90% of QR code attacks are credential phishing operations — attacks designed to harvest usernames and passwords for corporate accounts, particularly Microsoft 365 and other enterprise identity platforms. The QR code redirects the victim to a convincing replica of a legitimate login page, the credentials are entered and captured, and the attacker now has direct access to the victim's email, files, calendar, and any connected systems.

The specific pretexts used to deliver these attacks follow predictable patterns. In approximately 27% of quishing attacks, according to Abnormal's data, attackers impersonate multi-factor authentication enrollment notices — messages claiming that the organization requires re-enrollment in MFA and that failure to comply will result in loss of account access. The irony is deliberate: MFA is one of the most effective defenses against credential theft, and attackers have found a way to use the urgency of MFA compliance as the vehicle for the attack itself. The second most common pretext, used in roughly 21% of attacks, involves fake notifications about shared documents requiring the victim's signature.

For organizations in regulated industries or those handling sensitive government or defense data, the consequences of a successful credential compromise extend well beyond a single account. A compromised Microsoft 365 account gives an attacker access to email history that may contain contracts, pricing information, employee data, and client communications. It provides a trusted platform from which to launch business email compromise (BEC) attacks against vendors, partners, and clients. And in organizations pursuing CMMC compliance or operating under federal contracting requirements, a single credential compromise can trigger mandatory breach notifications, contract reviews, and compliance audits with significant financial and reputational consequences.

Why Training Alone Is Not Enough

The instinctive first response to any phishing threat is user awareness training, and there is genuine value in that investment. Employees who understand what quishing is and what to look for are meaningfully less likely to fall victim than those who have never heard the term. But the nature of quishing creates a practical ceiling on what training can accomplish.

A core principle of traditional phishing awareness is the ability to hover over a suspicious link and inspect the destination URL before clicking. That defense does not exist with QR codes. The destination is invisible until the code is scanned, and even after scanning, many users proceed directly to the resulting page without examining the URL — particularly on mobile devices where URLs are displayed in truncated form in a small browser bar. Research from NordVPN found that 73% of Americans scan QR codes without verifying the destination. Training can move that number, but not eliminate the risk. And in a high-volume work environment where employees are processing dozens of emails per day, the cognitive overhead of treating every QR code as a potential threat is simply not sustainable.

The March 2026 campaign documented by researchers at 7AI illustrates this clearly. In that operation, attackers sent 28 phishing emails to enterprise inboxes across three waves. Every one of those emails passed SPF, DKIM, and DMARC authentication — the technical controls that tell email clients a message is legitimate. The QR codes were encoded inside BMP image attachments, structurally invisible to every text-based filter in the delivery path. No amount of user training would have changed the technical outcome: the emails looked legitimate because they were engineered to pass every automated legitimacy check that existed. Those 28 detected emails were estimated to be part of a broader campaign of more than 1.6 million emails sent to other organizations.

What Effective Defense Actually Requires

Stopping quishing requires closing the architectural gap that makes it effective in the first place: email security tools need to be able to see inside QR code images, decode the URLs they contain, and evaluate those URLs against threat intelligence before the email reaches the inbox. This sounds straightforward, but it requires capabilities that most traditional Secure Email Gateways were not designed to provide.

Effective quishing defense, as implemented in modern email security platforms, involves optical character recognition capable of identifying QR codes in images regardless of their visual styling, real-time URL reputation analysis of the decoded destination, and — critically — CPU-level threat analysis that can evaluate the behavior of a destination URL at the assembly code level rather than relying solely on known-bad domain lists. This last capability matters because quishing campaigns frequently use newly registered domains or freshly compromised legitimate sites that have no prior reputation in threat intelligence feeds. A defense that only blocks known-bad URLs will always be one step behind an attacker using a fresh domain.

The speed of that analysis also matters operationally. Legacy sandbox approaches can take twenty minutes or more to return a verdict on a suspicious URL, which creates an unacceptable choice between security and productivity. Modern approaches, including those implemented in Acronis Advanced Email Security, are designed to return verdicts in seconds to milliseconds, maintaining normal mail flow without forcing users to wait for email that has been quarantined for extended analysis.

At palmiq, we help organizations evaluate and deploy email security that meets this standard — not because it is the latest product on the market, but because the threat data makes clear that the architectural gap quishing exploits is real and the legacy tools most organizations are relying on were not designed to close it. For our clients in K-12 education, government contracting, healthcare, and commercial services, the question is not whether quishing poses a risk, but how quickly they can close the gap between their current protection and what the threat actually requires.

Four Steps to Reduce Your Quishing Risk Today

While no single measure eliminates quishing risk entirely, there are four concrete steps organizations can take immediately to meaningfully reduce exposure. The first is an honest assessment of your current email security capabilities. If your organization is relying on Microsoft Defender or a legacy SEG as its primary email protection, understand whether it has QR code image scanning enabled and what threat intelligence it uses to evaluate decoded URLs. The absence of that capability is the blind spot attackers are counting on.

The second step is to ensure that your endpoint detection and mobile device management policies extend meaningful protection to the mobile devices employees use for work. If your corporate security posture essentially ends at the corporate laptop, you have already accepted the vulnerability that quishing campaigns are designed to exploit. Managed device policies, mobile threat defense, and web filtering that applies to mobile browsers are not optional extras for organizations with meaningful quishing exposure — they are baseline requirements.

Third, update your security awareness training to include quishing as a specific scenario. Employees cannot defend against a threat they have never heard of. A focused training module that explains what quishing is, demonstrates what a quishing email looks like in practice, and establishes a clear protocol for reporting suspicious QR codes will reduce click rates meaningfully — not to zero, but enough to matter.

Fourth, establish a clear incident response protocol for credential compromise. When — not if — a quishing attack successfully harvests credentials from someone in your organization, having a tested playbook that includes immediate password reset, session token invalidation, and affected-account audit will determine whether that compromise remains an isolated incident or becomes a multi-week breach investigation. The organizations that handle these incidents best are the ones that practiced the response before they needed it.

The Threat Has Evolved. Your Defense Should Too.

Quishing is not a sophisticated threat in the sense that requires deep technical sophistication to deploy. It is sophisticated in the sense that matters most in security: it is precisely calibrated to exploit the specific gaps in how most organizations have built their email security architecture. It bypasses text-based filters because it is an image. It bypasses endpoint protection because it executes on personal mobile devices. It bypasses user vigilance because the destination is invisible until after the decision to scan has already been made.

That combination of evasion techniques, combined with the industrial volume at which these campaigns now operate, makes quishing one of the most consequential threat developments in enterprise security in recent years. The organizations that recognize that reality and adjust their defenses accordingly will be significantly better positioned than those that treat this as a training problem rather than an architectural one.

palmiq works with organizations across education, government contracting, healthcare, and commercial services to build cybersecurity programs that protect against the threats that actually exist today, not just the ones that were common three years ago. If you would like to understand where your current email security stands against modern quishing techniques, we are happy to walk through your current configuration and identify the gaps that matter most.