Threat actors have a habit of recycling old techniques with new delivery methods, and QR code phishing, also known as “Quishing”, is just another example. Just a week after Gurucul published a thorough analysis into Adversary-in-the-Middle (AITM) attacks, a similar threat vector has emerged as malicious QR codes embedded in phishing emails. These attacks are gaining momentum, exploiting both end-user trust and the gaps in traditional security tools. Much like AITM, QR-based phishing sidesteps email gateway protections and leverages trusted access to compromised identities.
At a recent customer site, Gurucul’s analytics detected a QR code phishing attempt that completely bypassed legacy email gateways and network/endpoint detection tools. The attack used an embedded QR code in an email attachment to redirect users to a spoofed login page. The scan redirected victims to a credential-harvesting site that imitated a legitimate identity provider. What made this case significant was that traditional tools failed to generate an alert. Gurucul’s behavioral analytics and entity risk scoring models, however, flagged the incident based on a chain of correlated anomalies.
Gurucul detected QR code phishing campaigns by connecting data across multiple silos:
Beyond siloed analysis, Gurucul stitches together weak signals to reveal the full attack chain:
As phishing techniques evolve, so must our approach to detection. QR code scams are increasing, but they’re only a small part of a much bigger problem. Generative AI is now being used by threat actors to launch highly targeted social engineering and phishing attacks, especially against less tech-savvy industries. These AI-powered campaigns personalize attacks, increasing their speed and scale beyond the capabilities of traditional defenses.
As identity remains the new perimeter, and deception the weapon of choice, Gurucul’s behavioral analytics and advanced threat correlation continue to offer a critical edge against modern attack techniques.
Quishing is a form of phishing that uses QR codes instead of clickable links to trick users into visiting malicious sites. Unlike traditional phishing, these attacks often bypass email security tools by hiding harmful URLs inside image-based QR codes, making them harder to detect.
Legacy tools typically scan emails for suspicious links or attachments. Quishing bypasses these checks by embedding the malicious URL in a QR code image. When users scan the code with a mobile device, they’re redirected to spoofed login pages, triggering credential theft — all without tripping standard email filters or endpoint protections.
Gurucul correlates behaviors across silos — including email metadata, proxy logs, identity provider activity, and geo-intel — to identify the entire attack chain. Our platform flags anomalies like QR-based redirects, abnormal authentication patterns, and privilege changes, even when traditional tools generate no alerts.
QR-based phishing is just one example of how attackers are repurposing old methods with new delivery mechanisms. With generative AI accelerating the speed and personalization of attacks, behavioral analytics and cross-platform correlation are essential to detect and stop threats before damage is done.
