QR Code Phishing (Quishing): The Email Security Threat Bypassing Your Filters in 2026
Your email security gateway is scanning every link. Your spam filters are tuned. Your team has been through phishing awareness training. And then someone in accounting scans a QR code from what looks like a Microsoft account verification email — and hands their credentials directly to an attacker in Eastern Europe.
This is quishing: QR code phishing. And in 2026, it has become one of the fastest-growing and most effective email-based attack vectors targeting businesses of every size.
The worst part? Most traditional email security tools are nearly blind to it.
What Is Quishing — and Why Is It Working So Well?
Quishing is a phishing attack delivered via a QR code embedded in an email, a document, or even a physical object like a flyer or package insert. Instead of including a malicious hyperlink that security filters can inspect and block, attackers embed the destination URL inside a QR code image. The email arrives clean. No suspicious links. No flagged domains. Just an image.
When the recipient scans the QR code — typically with their personal smartphone — they're redirected to a credential harvesting page, a malicious file download, or a fake login portal designed to capture usernames, passwords, and even multi-factor authentication tokens in real time.
The attack is elegant in its simplicity, and it exploits three compounding weaknesses simultaneously:
- Email security tools analyze text and URLs — not images. Most secure email gateways (SEGs) were built to inspect hyperlinks and attachments. A QR code is just a JPEG or PNG to them.
- Scanning happens on personal mobile devices. When an employee scans a QR code with their phone, they've immediately stepped outside the corporate network, bypassing endpoint detection, web filtering, and DNS security controls.
- QR codes carry implicit trust. Years of legitimate QR code use — restaurant menus, two-factor authentication setup, contactless payments — have conditioned people to scan without hesitation.
The Numbers Are Alarming
The scale of quishing attacks has grown dramatically. According to research from Abnormal Security, QR code phishing attacks increased by over 587% in a single six-month period. A 2025 report from Hoxhunt found that quishing now accounts for nearly 11% of all credential phishing attempts against enterprise organizations. And because mobile devices used for scanning are often personal phones enrolled in bring-your-own-device (BYOD) programs with limited security controls, the attack-to-compromise ratio is significantly higher than traditional email phishing.
The FBI's Internet Crime Complaint Center (IC3) flagged quishing as an emerging priority threat in its 2025 annual report, noting a sharp rise in incidents involving corporate credential theft and subsequent wire fraud — a combination that should concern any business with financial controls or sensitive data.
How a Quishing Attack Actually Unfolds
Understanding the attack chain is essential for building a defense. Here's a typical quishing scenario targeting a mid-size business:
Stage 1: The Lure
An employee receives an email that appears to come from Microsoft, DocuSign, their payroll provider, or even their own IT department. The message creates urgency: "Your account requires immediate verification," or "You have a pending document waiting for your signature." The email body contains a QR code and instructions to scan it with their phone to complete the action.
Stage 2: The Scan
The employee, perhaps on a busy Tuesday morning, scans the code with their personal iPhone or Android device. Their phone's camera opens a browser — outside of any corporate security controls — and loads a convincing replica of a Microsoft 365 login page or another familiar service.
Stage 3: Credential Capture and AiTM
Modern quishing campaigns often use Adversary-in-the-Middle (AiTM) proxy frameworks like Evilginx or Modlishka. These tools don't just capture usernames and passwords — they intercept the entire authentication session, including MFA tokens. The victim believes they've successfully logged in. The attacker now holds a valid, authenticated session cookie.
Stage 4: Post-Compromise Activity
With authenticated access to a Microsoft 365 account, for example, the attacker can read emails, set up forwarding rules to a covert external address, search for financial information, impersonate the victim in business email compromise schemes, or pivot deeper into the organization's cloud environment.
The entire chain from QR scan to inbox access can take less than three minutes.
Why Your Current Email Security Setup May Not Be Enough
Most businesses invest in some form of email filtering — whether that's Microsoft Defender for Office 365, a third-party secure email gateway, or the basic spam filtering built into their mail platform. These tools are valuable, but they were architected around a threat model that predates the quishing surge.
The core problem: Email security tools that rely on URL reputation scanning, domain analysis, and link following cannot analyze the contents of a QR code image embedded in an email. Unless your email security platform has been specifically updated with QR code image-scanning and URL extraction capabilities, those emails are passing through clean.
Several next-generation email security vendors — including Abnormal Security, Proofpoint, and Microsoft itself — have added QR code-aware scanning in recent updates. But deployment, configuration, and coverage vary. Many businesses using older configurations or out-of-the-box settings remain exposed.
Additionally, even the best technical controls face a fundamental gap: the scan happens off-network, on an unmanaged device. This is a problem that technology alone cannot fully solve.
Who Is Being Targeted?
Quishing attacks are not limited to large enterprises. In fact, small and mid-size businesses are disproportionately targeted because attackers know that SMBs often have weaker email security configurations, less security-aware employees, and fewer controls over mobile devices.
Industries seeing elevated quishing activity include:
- Financial services and accounting firms — targeted for wire transfer fraud and access to client financial data
- Healthcare organizations — targeted for PHI and credential access to billing and EHR systems
- Legal firms — targeted for client communications, sensitive case files, and trust account access
- Professional services and consulting firms — targeted for M&A intelligence, client relationships, and financial data
- Manufacturing and supply chain companies — targeted to facilitate vendor impersonation and invoice fraud
If your business handles money, sensitive client data, or operates in a regulated industry, quishing is a threat you need to be actively managing right now.
A Multi-Layer Defense Against Quishing
Defending against quishing requires a layered approach that combines updated technical controls, mobile device policy, and ongoing human awareness. Here's what that looks like in practice:
1. Upgrade Your Email Security to QR-Aware Scanning
This is the most urgent technical step. Ensure that your email security platform — whether Microsoft Defender, Proofpoint, Mimecast, or another solution — has QR code image-scanning capabilities enabled and properly configured. These features extract the embedded URL from QR code images and submit them to the same URL reputation and sandboxing analysis as conventional links.
If you're not sure whether your current configuration covers this, that's a red flag. Layer27's Safe Start and Protect Pro managed security packages include email security configuration reviews as part of ongoing service delivery, ensuring your controls are current and covering emerging threat vectors like quishing — not just the threat landscape of three years ago.
2. Implement DNS Filtering That Travels with the Device
Since QR code scanning bypasses the corporate network entirely, you need security controls that go wherever your employees go. DNS-layer security solutions — such as Cisco Umbrella or similar platforms — can be deployed as lightweight agents on both managed laptops and mobile devices, blocking malicious domains even when employees are off-network.
This is especially critical for organizations with BYOD policies. If personal phones are allowed to access corporate email or cloud applications, they need at least some layer of protection.
3. Harden Your Identity and Access Controls
Because quishing attacks specifically target credentials — and because AiTM frameworks can bypass standard MFA — hardening your identity posture is essential:
- Deploy phishing-resistant MFA using FIDO2 security keys or passkeys wherever possible. Unlike TOTP codes or push notifications, FIDO2 credentials are cryptographically bound to the legitimate domain and cannot be intercepted by an AiTM proxy.
- Enable Conditional Access policies in Microsoft Entra ID (formerly Azure AD) that require compliant, managed devices for sensitive application access. A session cookie stolen via a personal phone will be far less useful if your policies reject logins from unmanaged devices.
- Implement continuous access evaluation so that anomalous session behavior — like a sudden login from an unexpected geographic location — triggers re-authentication or blocks access automatically.
Layer27's Infrastructure Pro and Co-Managed IT clients benefit from identity hardening reviews that include Conditional Access policy audits specifically designed to reduce the impact of credential theft scenarios.
4. Deploy Managed Detection & Response With Email Telemetry
Technical controls catch what they're configured to catch. What happens when something slips through? This is where Managed Detection & Response (MDR) becomes critical. A well-integrated MDR solution ingests email security telemetry, identity logs, and endpoint data simultaneously — enabling analysts to detect post-compromise behavior that individual tools might miss in isolation.
At Layer27, our MDR service, backed by 24x7 SOC operations, monitors for the behavioral indicators of quishing-related compromise: anomalous inbox rule creation, impossible travel events, sudden bulk email access, and lateral movement patterns. When an attacker is active in a compromised account at 2 AM, our team is there to contain it — not waiting for a Monday morning alert review.
5. Make QR Code Awareness a Core Training Topic
This is non-negotiable. Your employees are the last line of defense against quishing, and right now, most of them have never heard the term. Security Awareness Training needs to explicitly address QR code threats — not just as a footnote in annual phishing training, but as a dedicated module with simulated quishing exercises.
Employees need to understand:
- Legitimate organizations almost never ask you to scan a QR code to verify your account or access a document
- QR codes in unsolicited emails should be treated with the same suspicion as unknown links
- When in doubt, navigate directly to the service in question rather than scanning
- How to report suspected quishing attempts to IT
Layer27's Security Awareness Training program includes regularly updated phishing simulation content — including quishing simulations — that reflect the current threat landscape, not last year's playbook.
6. Establish a Mobile Device Policy With Teeth
If employees are using personal phones to access corporate email, cloud applications, or business data, your organization needs a formal mobile device management (MDM) or mobile application management (MAM) policy. At minimum, this means:
- Requiring a PIN or biometric lock on devices that access corporate resources
- Enforcing corporate email access only through managed or MAM-enrolled apps
- Having the ability to remotely wipe corporate data from a device in the event of compromise
- Considering whether certain high-risk roles should be restricted from BYOD access entirely
What Happens After a Successful Quishing Attack?
Even with the best defenses, breaches happen. Organizations that respond quickly and effectively limit the damage dramatically compared to those that discover compromises days or weeks later.
A quishing-enabled account takeover can rapidly escalate to:
- Business Email Compromise and wire fraud
- Ransomware deployment if the attacker pivots from cloud credentials to on-premises systems
- Data exfiltration and regulatory breach notification requirements
- Extended operational disruption
This is why incident response preparation and data protection are inseparable from email security. Layer27's Backup-as-a-Service (BaaS) and Disaster Recovery-as-a-Service (DRaaS) ensure that even in a worst-case scenario — where an attacker has caused data loss or triggered a ransomware deployment after initial quishing compromise — your business can recover quickly with minimal data loss and downtime.
For organizations in regulated industries, a credential compromise resulting in unauthorized data access may also trigger HIPAA, PCI-DSS, or state privacy law breach notification requirements. Layer27's Compliance practice can help you understand your notification obligations and respond appropriately.
A Practical Quishing Defense Checklist for Business Leaders
Here's a condensed action list you can bring to your IT team or managed services partner today:
- [ ] Confirm your email security platform has QR code image-scanning enabled
- [ ] Review and tighten Conditional Access policies for Microsoft 365 and other cloud applications
- [ ] Deploy or validate DNS filtering on all devices — including mobile
- [ ] Audit MFA methods in use and prioritize phishing-resistant FIDO2 deployment for privileged users
- [ ] Add quishing to your next security awareness training cycle
- [ ] Run a simulated quishing campaign to measure employee susceptibility
- [ ] Review your mobile device and BYOD policy
- [ ] Ensure MDR or 24x7 SOC coverage includes email and identity telemetry
- [ ] Confirm your incident response plan covers account takeover scenarios
Don't Wait for the Scan That Costs You Everything
QR code phishing is not a theoretical threat or an emerging trend to monitor for next year. It is happening right now, to businesses like yours, across every industry and every state. The combination of filter evasion, mobile device blind spots, and AiTM credential theft makes quishing one of the most technically challenging email threats ever deployed at scale against commercial targets.
The businesses that get ahead of this are the ones that treat email security as a living, evolving program — not a checkbox they reviewed during last year's IT audit.
If you're not certain whether your current email security configuration can detect a QR code phishing attack, there's a good chance the answer is no.
Layer27 helps businesses across the United States build email security programs that keep pace with the real threat landscape — not yesterday's. Whether you need a targeted security assessment, updated email security configuration, employee awareness training, or fully managed detection and response, we're ready to help.
Contact Layer27 today to schedule a conversation about your email security posture.