Cybercriminals are always finding new ways to outsmart traditional security tools and “quishing” is one of the latest threats to emerge. Quishing, short for QR code phishing, involves embedding malicious links inside QR codes. When scanned, these codes lead unsuspecting users to fraudulent websites designed to steal credentials or sensitive information.

QR codes have become everyday tools for convenience – from restaurant menus to event tickets – but that familiarity makes them a perfect disguise for cybercriminals. Unlike a suspicious-looking URL or email link, a QR code is unreadable to the human eye.

These codes can also slip past traditional security measures like email filters or link scanners and to make matters worse, users typically scan QR codes using their mobile devices, often outside the company’s secure network. This gives attackers a perfect opportunity to strike without triggering standard corporate protections.

As businesses and security tools catch up, attackers continue to innovate. Recently, threat researchers have uncovered two advanced QR-based phishing methods – Split QR codes and nested QR codes (QR-in-QR) both of which are designed to evade detection.

A new phishing-as-a-service (PhaaS) kit called Gabagool has introduced a clever way to hide malicious content. Instead of placing one complete QR code in an email, attackers split it into two separate images. When email security systems scan the message, they see harmless image fragments, not a full QR code.

In a recent attack, threat analysts observed this method used in a fake Microsoft “password reset” campaign. The message appeared legitimate and was highly personalised – a sign that attackers might have hijacked a prior email conversation.

Visually, the QR code seems normal to the human eye, but under the hood, it’s composed of two image files that join together only when rendered in the email body. Once scanned, the code redirects victims to a fake Microsoft login page designed to harvest credentials.

The QR code in the image above looks complete, however if you look at the visual in HTML then you will see it actually comprises of two different images – as below. 

Another emerging technique, spotted in the Tycoon 2FA phishing platform, uses nested QR codes.

Here, one QR code is hidden inside another. The outer layer leads to a malicious URL, while the inner one points to a legitimate website such as Google.

This layering trick confuses scanners and sometimes results in ambiguous detections. To the recipient, it looks like a safe and familiar action – but one scan can expose sensitive information to attackers.

To protect against these advanced QR-based attacks, organizations should reinforce multiple layers of defence:

• Security awareness training to help employees spot suspicious QR code prompts.

• Multifactor authentication (MFA) to limit damage even if credentials are compromised.

• Advanced email security with multimodal AI, which can analyse both visual and contextual elements of an email.

Modern threat detection tools powered by AI can:

• Visually render attachments to identify QR codes embedded images.

• Decode and inspect QR destinations before a user ever interacts with them 

• Use sandboxing to observe real-time malicious behaviour.

• Employ deep image analysis and natural language models to identify phishing patterns, even when no text is present. 

By combining optical character recognition (OCR), deep image analysis, and AI-driven content inspection, these tools can uncover even the stealthiest image-based attacks – including those that rely solely on QR codes.

QR code phishing isn’t going away – it’s evolving. Cybercriminals are leveraging our trust in these small black-and-white squares to penetrate corporate defences. Staying vigilant, educating users and deploying AI-enhanced detection tools remain the best ways to keep your organisation safe.

Contact our expert team if you require assistance. 

If you are a business and require cybersecurity service or assistance, visit out website and request a consultation. Our experts are on hand to assist you 7 days a week. 

www.datafortified.com

Disclaimer: The content provided in this blog is for general informational purposes only and does not constitute professional cybersecurity advice or a substitute for formal consultation with qualified experts. While DataFortified takes reasonable steps to ensure accuracy and timeliness, cybersecurity threats and best practices are constantly evolving and may change without notice. Use of the information is at your own risk.

By accessing this blog, you acknowledge that DataFortified, its affiliates, employees, and agents disclaim all liability for any direct, indirect, incidental, consequential, or punitive damages arising from reliance on or use of this content. For comprehensive advice and tailored solutions, please refer to DataFortified’s official business terms and conditions and privacy agreement and consult with authorised cybersecurity professionals.

Your use of this blog constitutes acceptance of these terms and does not alter or replace any contractual obligations under DataFortified’s formal agreements.