QR Code Phishing Attacks: New Abnormal Capabilities Launched to Protect Customers From Quishing

Discover the risk of these image-based QR attacks and how Abnormal’s AI-native detection system protects you.
October 30, 2023

QR codes have become increasingly popular, especially in the post-COVID-19 era as they have been used to foster connections. These codes provide convenient, contactless, and efficient ways to stay in touch and share information—for everything from marketing campaigns to restaurant menus.

Unfortunately, bad actors have exploited this new familiarity to compromise users. According to Abnormal data, 17% of all attacks that bypass native spam/junk filters use QR codes. This is especially concerning because QR code attacks can be difficult to detect due to their limited text content and heavy reliance on image attachments. This significantly reduces the amount of signals available to email security solutions to detect and extract information in order to catch an attack. To combat this threat, we are excited to announce the release of enhanced QR code detection capabilities.

How Bad Actors Exploit QR Codes to Execute Quishing Attacks

Attackers are increasingly crafting emails that contain an image attachment of a malicious QR code. These malicious QR codes often link to what appears to be a legitimate website, such as Google or Microsoft login pages, and prompt recipients to enter their login credentials. If entered, attackers can steal those credentials and use them to compromise additional services or launch additional attacks. According to internal data sources, credential phishing accounts for about 89% of all QR code-based attacks, with invoice fraud and extortion rounding out the top three attack types.

Real-World Quishing Attack Stopped by Abnormal

Let’s take a look at a real-world credential phishing attack that was stopped by Abnormal. In this attack, the threat actor crafted a phishing email prompting the recipient to scan a malicious QR code to reset the multi-factor authentication for their Microsoft account.

QR 1

The QR code links to a malicious page posing as a legitimate Microsoft login page and encourages the recipient to log in to their account. If the recipient were to enter their login credentials, the attacker would be able to steal the credentials and compromise the account.

QR 2

Abnormal detected this attack by analyzing behavioral signals and parsing the QR code. With its behavioral signals, Abnormal identified that this email was coming from an unusual sender and domain. With the QR code detector, Abnormal identified that the email contained a QR code with a suspicious link. The additional signals extracted from parsing the QR codes, combined with the behavioral analysis, puts Abnormal Security in the best position to detect these attacks.

QR 3
QR 4

The Abnormal Approach to Stopping QR Code Phishing Attacks

QR codes can replace ‌links previously used in many types of link-based phishing attacks. Any solution that relies purely on the reputation of the domains in the emails cannot effectively detect these attacks without processing every image in every email, which would very quickly result in scaling issues.

A key distinction of Abnormal’s AI-native detection engine is its ability to utilize behavioral signals to detect anomalies seen in sender-related attributes, receiver-based attributes, and attachment or link-based signals. With this approach, Abnormal is able to detect thousands of QR code attacks per week without specifically detecting and parsing QR codes, including this quishing campaign detected in late 2021. However, we understand the severity of QR code attacks and are committed to improving detection, which is why we are excited to announce that Abnormal has updated its defense strategies and added the capability to detect QR codes and parse links from them in attachments. This applies to images as well as PDF Attachments. The signals extracted from QR codes will be ingested by the detection engine which strengthens its ability to detect malicious activity.

The combination of behavioral AI detection, with the ability to further process images to detect QR codes and parse the corresponding information, provides a powerfully complete solution to combat the rise of QR code phishing attacks.

Why doesn’t Abnormal block all emails containing QR codes?

With QR code phishing attacks increasing in frequency, organizations may be tempted to seek solutions that block all emails containing QR codes. However, this isn’t an effective solution for a variety of reasons:

  • Legitimate Usage: QR codes are deployed legitimately for easy access to information sharing. Blocking them unilaterally could lead to critical false positives, causing a disruption in business for users. Our data indicates, >50% of images with QR codes can be safe or legitimate business emails.

  • Ineffective: Cyber threats are always evolving. Attackers can apply techniques like obfuscation and embedding QR codes within images to bypass a block filter.

  • It’s Not That Easy: Scanning every email to identify and block all QR codes would consume significant amounts of processing and could cause delays in remediation. The combination of behavioral AI with the ability to parse QR codes ensures high detection efficacy without sacrificing the time to remediate.

The Future of Quishing and How You’re Still Protected

As QR codes become increasingly commoditized, threat actors will continue to use them as a tool in their phishing campaigns. Today, attackers use malicious QR codes to impersonate legitimate QR codes that are often part of the process when adopting multi-factor authentication, as seen in the real-world attack above. Tomorrow, attackers might imitate legitimate QR codes used in file sharing, invoice payment, or marketing emails to gain further access to an organization’s sensitive data and finances. To prevent these advanced attacks, Abnormal will continue to invest resources to strengthen its detection engine, which now analyzes tens of thousands of signals provided by its behavioral AI and QR code parsing to identify quishing attacks.

Interested in seeing the Abnormal solution to the email security problem? Schedule a demo today.

Schedule a Demo
QR Code Phishing Attacks: New Abnormal Capabilities Launched to Protect Customers From Quishing

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 Adobe Acrobat Sign Attack Blog
Attackers attempt to steal sensitive information using a fraudulent electronic signature request for a nonexistent NDA and branded phishing pages.
Read More
B 4 15 24 RBAC
Discover how a security-driven RBAC design pattern allows Abnormal customers to maximize their user setup with minimum hurdles.
Read More
B 4 10 24 Zoom
Learn about the techniques cybercriminals use to steal Zoom accounts, including phishing, information stealers, and credential stuffing.
Read More
Social Images for next Cyber Savvy Blog
Explore how Alex Green, the CISO of Delta Dental, safeguards over 80 million customers against modern cyber threats, and gain valuable insights into the cybersecurity landscape.
Read More
B Images for EDB Blog from Sanjay
Abnormal is excited to announce the establishment of a strategic partnership with the Singapore Economic Development Board (EDB).
Read More
B Automotive Data Blog
Research reveals the automotive industry has become a popular target for business email compromise and vendor email compromise attacks. Learn why.
Read More