Cybercriminals have picked up on the fact that QR codes have less chance of being picked up by cybersecurity defences than links or attachments. So now they are trying to exploit them.
To clarify, cybercriminals are organising their phishing email campaigns containing QR codes rather than links or attachments, all designed to steal login for Microsoft 365 cloud applications.
Microsoft 365 enterprise cloud services are a prime target for cyber criminals wanting to steal usernames and passwords. Once stolen the criminals then use to exploit and launch malware or ransomware attacks or sell the stolen logins on the dark web to other criminals, and they use them for their own campaigns.
In other words, cybercriminals are always looking to design their phishing websites to look authentic. That way when an unsuspecting victim clicks on a phishing link their quick to hand over their login username and passwords. Afterall, it looks just like the usual Microsoft login page.
A recent campaign aptly known as a “quishing” attack sent hundreds and hundreds of phishing emails detailed by cybersecurity researchers at Abnormal Security that attempted to use QR codes. All craftily designed by the hackers to bypass email security and steal logins.
Because standard email security protections such as URL scanners won’t detect there is a suspicious link or attachment in the message, QR codes can be useful in attempts at malicious activity by these cybercriminals.

To legitimatise themselves, cybercriminals send emails from accounts used by real people at real companies to add an aura of legitimacy to their emails, to gain trust for the campaigns they run. However, it’s not evident exactly how the attackers gained controls of the accounts in the first place for use in their campaigns.
Firstly, the victim is asked via phishing email to scan a QR code to listen to a voice recording claiming to come from the email sender who they trust.
In an earlier campaign the tricksters used a malicious URL by hiding it behind an audio file, in that previous version of the campaign. But in that instance the malicious attack was detected by antivirus security software and fizzled out. So, this led the attackers to switch to QR codes to infiltrate email defences. Because using the QR codes method can more easily bypass email protections.
Secondly, the victim needs to follow a few more clicks and steps before they inadvertently give away their login credentials.
- To initiate the user needs to scan the QR code. So, if they’re opening the email on a mobile, they’ll struggle to do this without a second phone.
But if the victims don’t suspect anything is amiss, they can simply following the instructions and quickly and easily, give away their credentials.
Rachelle Chouinard, threat intelligence analyst at Abnormal Security says, “the use of the QR code presents a unique challenge to those security platforms that look for known bad, as these emails come from legitimate accounts and contain no links, only seemingly benign images appearing to contain no malicious URLs.”
Rachelle goes on to say that “it’s only by understanding that the account is compromised — combined with an understanding of the intent of the email — that this new (and fairly innovative) attack type can be detected.”
As a result, email users should be wary of scanning QR codes presented in messages and double check they are genuine. Most importantly, even if they are coming from a known contact, to stay safe from quishing emails.
And to help protect login details from being stolen it is worth applying multi-factor authentication to all Microsoft 365 accounts.