Microsoft Uncovers Massive Phishing Blitz: 35,000 Accounts Targeted Across 26 Countries as QR Code “Quishing” Surges

If you got an email last month asking you to acknowledge a “revised code of conduct,” would you click? Tens of thousands did—or almost did. And that was the point. In mid-April, Microsoft observed a credential theft campaign that moved fast, hit hard, and leaned on newer tricks like QR codes and CAPTCHA gates to slip past defenses. The scariest part: this wasn’t a one-off. It’s a preview of where phishing is headed.

In this deep dive, we’ll break down what Microsoft just reported, how the attacks worked, why “quishing” (QR code phishing) is exploding, and—most importantly—how to harden your defenses right now.

For source reporting, see The Hacker News coverage: Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries (link).

The Short Version: What Microsoft Just Reported

Between April 14 and April 16, 2026, Microsoft analyzed a credential theft campaign that:

Targeted over 35,000 users across more than 13,000 organizations in 26 countries.
Used “code of conduct” lures and legitimate email services to boost deliverability and trust.
Redirected victims to attacker-controlled domains and stole authentication tokens.
Focused primarily on U.S. targets—about 92% were located in the United States.
Concentrated on sectors like healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology/software (11%).

Zooming out, Microsoft’s broader email threat telemetry from January to March 2026 showed:

QR code phishing is the fastest-growing vector, surging from 7.6 million in January to 18.7 million in March—a 146% jump.
CAPTCHA-gated phishing evolved rapidly across multiple payload types.
Attackers increasingly embed QR codes directly in email bodies to bypass perimeter filtering.
Microsoft detected approximately 8.3 billion email-based phishing threats in that three-month window.

These findings align with earlier research from Palo Alto Networks Unit 42 highlighting how threat actors weaponize QR codes to disguise malicious URLs, drive in-app deep links for credential theft, and even bypass app store safeguards by pointing to direct downloads of malicious apps (Unit 42 analysis).

How the Campaign Worked (Step-by-Step)

Let’s unpack the attacker playbook Microsoft observed and why it’s so effective.

1) The lure: “Code of conduct” compliance

Attackers sent emails themed around corporate policies—“Updated Code of Conduct,” “Action Required,” “Acknowledge Policy,” etc.
These tend to fly under the radar because they sound routine, relevant, and HR-driven. Targets feel social pressure to comply quickly.

2) Deliverability via legitimate services

Rather than blasting from throwaway infrastructure, attackers abused legitimate email services and trusted domains to increase inbox placement and credibility.
This tactic helps bypass basic sender reputation checks and spam heuristics.

3) Redirect chains to attacker domains

Victims were steered—sometimes through multiple hops—toward attacker-controlled pages.
The destination often looked convincingly like a corporate SSO or a Microsoft sign-in page.

4) Token theft over plain passwords

Beyond harvesting usernames and passwords, attackers aimed at authentication tokens (session cookies, OAuth tokens).
Token theft is potent: if a token is valid, it can allow access even if the victim uses MFA, because the attacker “rides” the existing authenticated session.
This fuels session hijacking and lateral movement—especially dangerous in cloud-first environments.

5) CAPTCHA-gated pages to evade scanning

CAPTCHA gates block automated scanners (including some secure email gateways and crawlers) from inspecting payloads.
Humans can solve the CAPTCHA; bots can’t. That means defenders may see a harmless “gate” while users who pass it see the malicious page.

6) QR codes to jump to mobile

Embedding QR codes in the email body sidesteps link analysis and exploits a blind spot: mobile devices and apps where corporate controls are often thinner.
Users scan on their phones, where password managers, link previews, and corporate protections may be weaker or absent.

Taken together, this is a modern phishing kill chain designed to defeat both technology and human heuristics: it looks routine, lands in the inbox, evades scanners, and shifts the user to mobile, where the attacker can harvest a token with less friction.

Why “Quishing” (QR Code Phishing) Is Exploding

Microsoft’s telemetry shows QR code phishing volume jumping 146% from January to March 2026. Here’s why it’s taking off:

Bypasses perimeter controls: Security tools that rewrite or detonate links can miss QR images embedded in the email body.
Shifts context to mobile: Scanning a code moves users from secured desktops to smartphones—often personal devices—where enterprise security is weaker and UX prompts are easier to skim past.
Disguises destinations: Attackers encode obfuscated URLs, use QR codes as “visual shorteners,” and chain redirects to mask the final landing page.
Enables deep links: QR codes can launch app-specific URIs (deep links) to prompt in-app authentication flows that look familiar and trustworthy.
Evades reputation checks: The initial QR points to a benign domain or a newly registered host before bouncing to the malicious one, evading reputation engines.
Human curiosity and convenience: People expect to scan QR codes at restaurants, events, and offices. The behavior is normalized.

Research from Palo Alto Networks Unit 42 has documented these abuse patterns in depth and shows how attackers use QR codes to lure victims into credential theft flows and even install malicious apps by bypassing app store safeguards (read more).

Who Was in the Crosshairs

Based on what Microsoft observed:

Geography: Roughly 92% of targets were in the United States, though the campaign spanned 26 countries.
Scale: More than 35,000 user accounts across 13,000+ organizations were targeted in just three days.
Sectors hit hardest:
Healthcare and life sciences: 19%
Financial services: 18%
Professional services: 11%
Technology and software: 11%

These sectors are prime targets because they hold sensitive data, process valuable transactions, or sit at the hub of many third-party relationships.

The Real Risk: Token Theft and Cloud Lateral Movement

Classic phishing steals passwords. Modern phishing steals sessions.

Token replay: With a valid authentication token or session cookie, an attacker can impersonate the user without re-entering credentials.
MFA limitations: MFA remains critical, but if a token is harvested after MFA has been satisfied, the attacker may bypass subsequent prompts until the token expires or is revoked.
Cloud sprawl: Once in, attackers can pivot across SaaS apps tied to SSO, target shared mailboxes, access files, or initiate fraudulent payments.
Business email compromise (BEC): With mailbox access, attackers can conduct invoice fraud, alter payment instructions, or launch internal spear-phishing.
Compliance and reputational risk: Unauthorized access can trigger regulatory obligations, breach notification, and downstream partner exposure.

What This Means for Your Security Program

Three mindset shifts to embrace:

1) Assume phish will land. Focus on “assume click” resilience—containment and rapid response matter as much as prevention. 2) Treat images like links. QR codes are just clickable URLs in disguise; your controls must see through the image layer. 3) Prioritize token safety. Identity-centric defenses (MFA, Conditional Access, rapid token revocation, and device trust) are your strongest levers.

A Practical Defense Playbook

Below is a layered approach you can act on now. Adapt to your stack, size, and risk profile.

Email Security: Make QR Codes and CAPTCHA Gates Visible to Your Tools

Enable advanced anti-phishing policies: If you’re in Microsoft 365, turn on and tune Defender for Office 365 anti-phishing, impersonation, and domain similarity protections (Microsoft guidance).
Add QR code detection: Use gateways or APIs that scan images with OCR/computer vision to extract and analyze embedded URLs. Block or flag emails containing high-risk QR codes.
Rewrite and detonate extracted URLs: Ensure extracted QR URLs get the same Safe Links/rewriting and sandbox detonation as visible hyperlinks (Safe Links overview).
Harden sender authentication: Enforce SPF, DKIM, and DMARC with alignment and a reject policy. Monitor DMARC reports to close spoofing gaps (dmarc.org).
Quarantine CAPTCHA-gated content: Consider raising the risk score for pages that block automated scanning. Use human-in-the-loop review where needed.

Identity and Access: Contain Token Theft

Move to phishing-resistant MFA: Prefer FIDO2 security keys or platform passkeys over SMS/voice OTPs. See NIST guidance on phishing resistance (NIST 800-63-3).
Tighten Conditional Access: Require device compliance, restrict high-risk geos, enforce sign-in frequency for sensitive apps, and enable Continuous Access Evaluation where available to limit token usefulness (CAE overview).
Kill sessions fast: Train users and IT to revoke sessions immediately after suspected compromise. Automate via SOAR when risky sign-ins are detected.
Block legacy protocols: Disable IMAP/POP/Basic Auth that can bypass modern controls.
Govern OAuth consent: Restrict user consent to verified apps, review existing app grants, and alert on high-privilege or newly granted consents.

Endpoint and Mobile: Close the Smartphone Gap

Mobile device management (MDM/UEM): Enforce device compliance, OS patch levels, and app allowlists for corporate access. Separate personal and work data with managed profiles.
Mobile threat defense (MTD): Inspect mobile web sessions and detect malicious domains, sideloaded apps, or credential-harvesting flows.
Browser and app controls: Prefer managed browsers for corporate SSO. Disable unknown sources/enterprise installs on Android. Limit iOS enterprise app certificates to vetted use cases.
QR scanning hygiene: Standardize on a secure QR scanner within the managed work profile that previews the destination URL and applies corporate filtering.

Network and Browser Isolation

Remote browser isolation (RBI) for unknown destinations: Render risky sites in a disposable container to prevent token and cookie theft on endpoints.
DNS filtering: Block newly registered domains, typosquats, and known phishing infrastructure. Apply on-device resolvers to protect off-network devices.

People and Process: Train for the New Playbook

Make QR phishing part of awareness: Show examples, explain why QR codes are risky, and teach users to preview URLs before visiting. Reinforce: never scan QR codes from unexpected emails.
Simulate quishing and CAPTCHA-gated phish: Run periodic tests that mirror current attacker tradecraft.
Reduce shame, increase reporting: Add a one-click Report Phish button in mail clients. Celebrate reports; never punish clicks.
Clear “oops” playbook: Publish what to do immediately after a suspected click or scan (see the next section).

SOC and Incident Response: Detect, Automate, Contain

Alert on anomalies: Impossible travel, unfamiliar sign-in properties, new OAuth app grants, mass mailbox rules, unusual inbox forwarding, and spikes in failed MFA.
Capture web artifacts: Collect HTTP headers, cookies, and redirect chains for suspected phishing domains to track token theft patterns.
Automate containment: On high-confidence alerts, auto-revoke sessions, reset passwords, block tokens, and quarantine impacted endpoints.
Threat intel loop: Tag observed lures (e.g., “code of conduct”), distribute IOCs, and push detections for CAPTCHA- and QR-associated infrastructure.

Executive-Ready Checklist

We can detect and block QR-based phish at the email layer.
Our MFA is phishing-resistant (e.g., FIDO2/passkeys) for privileged and high-risk users.
Conditional Access enforces device trust, geofencing, and sign-in frequency for sensitive apps.
We can revoke cloud sessions within minutes of a suspected compromise.
Mobile access is managed (MDM/MTD) with clear BYOD boundaries.
OAuth app consent is locked down and monitored.
Employees have a one-click report button and a no-shame culture for reporting.
We test users specifically on QR and CAPTCHA-gated attacks.

What To Do If You Think You Scanned or Clicked

Act fast—minutes matter with token theft.

1) Disconnect and report: Use your organization’s report button or hotline immediately. 2) Change your password: Use a different device if you suspect the first device is compromised. 3) Revoke sessions: In Microsoft 365/Entra ID, sign out of all sessions for the account and require re-authentication. 4) Check OAuth app consents: Remove unfamiliar or newly granted app permissions. 5) Review mailbox rules and forwarding: Delete suspicious rules or external forwards. 6) Scan your device: Run a security scan; on mobile, uninstall any app you were prompted to install via the QR code. 7) Enable/upgrade MFA: If not already using phishing-resistant MFA, enroll now. 8) SOC follow-up: Investigate sign-in logs, device state, and potential lateral movement.

Why This Campaign Matters

This isn’t just another phishing wave; it’s a shift in attacker strategy:

They’re blending high-deliverability infrastructure, believable policy lures, and mobile pivots.
They’re not just after passwords—they’re targeting tokens to jump straight into cloud sessions.
They’re deploying CAPTCHAs and QR codes as evasion layers that exploit gaps in scanning and user habits.

Defending against this requires more than blocking bad links. It demands identity-aware controls, mobile-first thinking, and a playbook that treats images as URLs and sessions as crown jewels.

Looking Ahead: The Next 6–12 Months

Expect to see:

More image-based payloads: Not just QR codes—barcodes, stylized glyphs, and steganography to hide URLs.
Deeper app exploits: Malicious deep links and mobile app-to-app handoffs designed to trick even savvy users.
Faster token lifecycles—on both sides: Attackers automating token theft at scale, defenders tightening token validity and revocation windows.
AI-shaped lures: Better-localized, brand-perfect emails and landing pages that raise the bar for manual detection.

Success will favor programs that invest in zero trust principles: never trust, always verify, and continuously assess session risk—across devices, users, and apps.

Helpful References

The Hacker News coverage of Microsoft’s findings: https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html
Palo Alto Networks Unit 42 on QR code phishing: https://unit42.paloaltonetworks.com/qr-code-phishing-quishing/
Microsoft 365 Defender anti-phishing policies: https://learn.microsoft.com/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide
Microsoft Safe Links overview: https://learn.microsoft.com/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide
Microsoft Conditional Access and Continuous Access Evaluation: https://learn.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation
NIST guidance on phishing-resistant authentication: https://pages.nist.gov/800-63-3/
FBI PSA on QR code scams: https://www.ic3.gov/Media/Y2022/PSA220118

FAQs

Q: What is “quishing”?
A: “Quishing” is shorthand for QR code phishing—attacks that embed a QR image in an email, document, or sign to lure users to a malicious site. Because many security tools focus on clickable links, QR images can slip through filters and push victims onto less-protected mobile devices.

Q: Does MFA stop token-theft attacks?
A: MFA is essential, but it’s not a silver bullet. If an attacker steals a valid session token after MFA authentication, they may bypass additional prompts until the token expires or is revoked. Phishing-resistant MFA (FIDO2/passkeys) plus Conditional Access, rapid session revocation, and Continuous Access Evaluation can significantly reduce risk.

Q: How do CAPTCHA-gated phishing pages work?
A: Attackers place a CAPTCHA challenge in front of the malicious page. Automated scanners often can’t pass the CAPTCHA, so the underlying payload goes uninspected. Human victims, however, can solve the CAPTCHA and proceed to the phishing page.

Q: Why are QR codes effective for phishing?
A: They move the user to a mobile context, where corporate protections and visual cues are weaker. QR codes can hide long or suspicious URLs, trigger in-app deep links, and avoid traditional link analysis and rewriting.

Q: Which industries are most at risk?
A: In the April campaign Microsoft observed, the biggest target segments were healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology/software (11%). That said, any organization with email users and valuable data is a target.

Q: What’s the single most impactful defense we can deploy quickly?
A: Two moves deliver outsized gains: enable phishing-resistant MFA for high-risk and privileged accounts, and add image/QR scanning at the email gateway with URL extraction, rewriting, and detonation.

Q: How should we handle BYOD given QR-based threats?
A: Use MDM/UEM to establish a managed work profile, enforce basic device hygiene, and route corporate traffic through monitored paths. Pair with Mobile Threat Defense and require managed browsers for SSO. Train employees never to scan QR codes from unsolicited emails.

Q: If a user scanned a QR code and installed an app, what next?
A: Uninstall the app immediately, run a mobile security scan, change associated passwords from a trusted device, revoke cloud sessions, review OAuth app consents, and notify IT/SecOps for log review and containment.

Q: Are QR codes in physical spaces (posters, lobbies) also risky?
A: Yes. Attackers can place lookalike stickers over legitimate codes in public spaces. Treat unknown QR codes like unknown links—curb the impulse to scan, and verify sources when in doubt.

The Bottom Line

Phishing has evolved into a game of misdirection and momentum. Attackers are blending trusted infrastructure, realistic policy lures, CAPTCHAs, and QR codes to outrun traditional defenses and grab the real prize: your tokens and sessions.

Beat them with layers. Treat images like links, default to phishing-resistant MFA, tighten Conditional Access, manage mobile, and be ready to revoke sessions at the first sign of trouble. Train your people, tune your tools, and test often.

If you assume at least one phish will land, your strategy shifts from wishful blocking to resilient recovery. That’s how you turn a three-day blitz into a non-event—and keep your business moving.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Microsoft Uncovers Massive Phishing Blitz: 35,000 Accounts Targeted Across 26 Countries as QR Code “Quishing” Surges

The Short Version: What Microsoft Just Reported

How the Campaign Worked (Step-by-Step)

1) The lure: “Code of conduct” compliance