When Phishing Goes Offline: QR Code Attacks Inside Your Organization

Why QR codes break email security

Every email security tool on the market works the same way at its core: it scans the text of the email, extracts URLs, and checks those URLs against threat intelligence feeds and reputation databases. This approach has worked well for two decades. It fails completely against QR codes.

A QR code is an image. The URL it encodes is not present anywhere in the email body, headers, or HTML source. It exists only as a pattern of black and white squares in a PNG or JPEG attachment. Unless the security tool performs optical character recognition (OCR) on every image in every email (which almost none do at scale), the malicious URL passes through without inspection.

The moment a user scans that QR code with their phone, they leave the protected environment entirely. The URL opens in their mobile browser, outside the corporate network, outside the VPN, outside the endpoint detection system. The security perimeter has been bypassed with a camera.

How a quishing attack works

The anatomy of a QR code phishing attack is straightforward, which is part of what makes it so effective.

The attacker sends an email with a sense of urgency. Common pretexts include multi-factor authentication enrollment, document signing, voicemail retrieval, shared file access, or benefits enrollment. The email body contains instructions to "scan the QR code below" with your phone. The QR code itself links to a credential harvesting page designed to replicate the organization's login portal.

The credential page is typically hosted on a legitimate cloud service (to pass URL reputation checks if anyone inspects the decoded link manually) and uses a valid TLS certificate. The phishing page captures the username and password in real time, and in more sophisticated attacks, proxies the login to the real identity provider to capture the MFA token as well.

The entire interaction takes less than 30 seconds. The user believes they completed a routine IT task. The attacker now has valid credentials.

The direct-send exploit: internal spoofing without authentication

Quishing becomes significantly more dangerous when combined with a configuration gap that exists in most organizations: direct-send (also called SMTP relay or anonymous relay).

Many mail servers are configured to accept unauthenticated email from specific IP ranges or to certain internal addresses. This feature exists for legitimate purposes: printers that email scanned documents, monitoring systems that send alerts, and applications that send notifications. But the same configuration allows anyone who can reach the SMTP endpoint to send emails that appear to originate from any address within the organization.

The result: an employee receives a QR code email that appears to come from their IT department, their HR team, or their CEO. The sender address is an internal domain. The email passes SPF checks because it was sent through the organization's own mail infrastructure. DKIM may or may not be present, but many internal recipients do not notice its absence.

This is not a theoretical risk. Direct-send spoofing is actively used in targeted attacks, and most organizations have no monitoring in place to detect it.

Why email filters miss QR code attacks

The detection gap exists at multiple levels, and each one compounds the others.

No URL extraction from images. Standard email security gateways parse the email body and HTML for clickable links. QR codes encode URLs in pixel patterns that require image processing to decode. This capability is absent from the vast majority of deployed email security tools.

Attachment analysis focuses on executables. When email filters do inspect attachments, they prioritize files that can execute code: EXE, DLL, macro-enabled Office documents, scripts. A static PNG image containing a QR code is classified as benign by every heuristic designed to detect malicious payloads.

Mobile devices bypass endpoint protection. Even if the email itself is flagged as suspicious, the moment a user scans the QR code with a personal phone, the attack chain moves to an unmanaged device. Corporate endpoint detection and response (EDR) tools have no visibility into what happens on that phone.

Internal sender reputation suppresses warnings.When the phishing email appears to come from an internal address (via direct-send spoofing), the email gateway treats it as trusted internal mail. Warning banners like "This email came from outside your organization" do not appear. The email looks identical to any other internal communication.

Detection and response

Detecting QR code phishing requires looking beyond the email content itself. Here are the indicators that matter.

Authentication failures on internal emails. Legitimate internal emails pass SPF, DKIM, and DMARC checks. Direct-send spoofed emails often fail DKIM or show alignment mismatches. Monitoring authentication results for internal-to-internal mail catches spoofing attempts that most organizations ignore.

Unusual sender patterns.A user who has never sent a company-wide email suddenly distributing a "mandatory security update" with a QR code is anomalous. Behavioral baselines for sender patterns can surface these outliers before users interact with the message.

New sign-in events following QR campaigns. If multiple users report scanning a QR code, or if you identify a quishing email in your environment, immediately audit sign-in logs for new sessions from unfamiliar devices, IP addresses, or locations. The window between credential capture and account access is typically minutes, not hours.

Image-only emails with urgency language.Legitimate internal communications rarely consist of a single image with no text body. An email that contains only an image attachment and a brief instruction to "scan with your phone" is worth investigating regardless of the sender.

Organizational defenses

Beyond detection, several structural changes reduce the risk of successful quishing attacks.

Restrict direct-send relay to only the IP addresses and applications that genuinely need it. Audit these configurations quarterly. Every open relay is a potential spoofing vector.

Enforce DMARC with a reject policy on your domain. This will not prevent all internal spoofing, but it ensures that emails failing authentication are quarantined rather than delivered.

Train users to verify QR code URLs before entering credentials. Most phone cameras now preview the decoded URL before opening it. Teach employees to check that the domain matches the organization's actual login page.

Deploy phishing-resistant MFA (hardware security keys or passkeys). Even if credentials are captured through a quishing page, hardware-bound authentication cannot be proxied or replayed.

What InboxWatch catches

InboxWatch does not scan QR code images directly. What it does is detect the conditions that make quishing attacks succeed: suspicious sender patterns, authentication failures on internal mail, anomalous sign-in activity following a potential phishing event, unexpected email forwarding rules set up after account compromise, and new OAuth application grants from unfamiliar sessions.

The QR code is just the delivery mechanism. The compromise that follows leaves traces in your account configuration and sign-in history. Those traces are what InboxWatch is built to find.