|

Hackers Are Weaponizing QR Codes: Inside the New “Quishing” Attacks Using Split and Nested Techniques

ByInnoVirtuoso

If you’ve ever scanned a QR code to log in faster, view an invoice, or reset a password, you’re not alone. QR codes are frictionless. They feel safe. And that’s exactly why attackers love them.

Security researchers at Barracuda Networks just spotlighted a new wave of QR code phishing—often called “quishing”—that uses clever image tricks to sneak past email defenses and steal Microsoft credentials. The two novel techniques? Splitting a QR code into multiple images so scanners miss it, and nesting a malicious QR within or around a legitimate one to create ambiguity.

Here’s why that matters: most email tools still focus on links and attachments. They don’t always “see” what’s hiding inside an image, especially when that image is deliberately manipulated. In short, quishing is evolving, and your current protections may not be enough.

In this guide, I’ll break down how these split and nested QR codes work, why traditional defenses miss them, and how to build layered protection—especially with multimodal AI that can actually see and understand what’s in an image. Let’s simplify the risk and get you a plan.

What Is “Quishing” and Why It’s Surging

Quishing is phishing that uses QR codes to lure you to a malicious site or login page. Instead of clicking a link in an email, you scan a code—often from your phone—which quietly bypasses many link filters and detonation sandboxes designed to protect you.

Why attackers use QR codes: – People trust them and scan fast. – Mobile flows bypass desktop defenses and URL rewriting. – Images are harder for legacy tools to analyze. – Codes can hide under layers of images, CSS, or formatting.

Authorities have warned about QR abuse for years. The FBI even issued a PSA about tampered QR codes in 2022, urging caution with codes in public and online spaces. If you need a refresher, it’s a quick read from the FBI’s Internet Crime Complaint Center: FBI PSA on QR code tampering.

New Research: Split and Nested QR Codes in the Wild

Barracuda’s latest Threat Spotlight (published August 20) details two new techniques attackers are using to evade detection at scale. Their researchers observed these tactics in campaigns tied to phishing-as-a-service (PhaaS) kits, including Gabagool and Tycoon—two platforms that package advanced phishing tools for would-be scammers.

For the full context straight from the source, see Barracuda’s analysis: Barracuda Networks Blog.

Split QR Codes: One Code, Two Images, Zero Alerts

In the split technique, attackers divide a single QR code into two separate image files, then position them in the email so they look like one seamless code.

  • What email filters see: two harmless images with no QR payload.
  • What you see: a single, normal QR code that scans correctly.
  • What happens next: your phone opens a phishing site—often a convincing Microsoft login—designed to steal credentials.

Barracuda reports seeing this used by Gabagool in what looked like a routine “Microsoft password reset” email. The messages were tailored, which suggests the attackers had already hijacked the conversation—replying within an existing thread to exploit trust. That’s a classic and effective step-up technique.

Nested QR Codes: Malicious Outside, Legit Inside

In the nesting technique, attackers embed a malicious QR code inside or around a legitimate one.

  • The outer code might point to a malicious site.
  • The inner code might point to a safe destination like Google.
  • Scanners and parsers get ambiguous results, making it harder to flag.

Barracuda ties this approach to operators using the Tycoon PhaaS. The goal is simple: create a visual that looks normal yet confuses automated scanners, lowering the chance of detection.

Why Traditional Email Security Misses These Tricks

Legacy defenses center on URLs and attachments. Quishing sidesteps both by moving the malicious link into an image that only turns into a URL after a human scans it on a phone. And these new techniques raise the bar even more.

Common blind spots: – No deep image analysis: Many filters don’t visually inspect images to find and decode QR codes. – Fragmented images: Split codes look like separate benign images at the file level. – Ambiguity: Nested codes can produce mixed signals that automated tools struggle to classify. – Mobile bypass: Users scan codes on phones, outside the desktop email security stack and corporate network.

For a structured view of how phishing shows up in adversary tradecraft, check MITRE’s ATT&CK technique for phishing: MITRE ATT&CK T1566.

The Real Risk: Credential Theft and Business Email Compromise

Most quishing campaigns aim to steal Microsoft credentials. Once attackers get in, they often:

  • Register their own MFA method or create app passwords.
  • Set inbox rules to hide their activity.
  • Pivot to sensitive data and payments.
  • Launch business email compromise (BEC) scams, invoice fraud, or payroll redirections.

With stolen creds, a single scan can turn into a six-figure loss. It’s not hypothetical. It’s happening daily.

If you’re evaluating authentication posture, NIST’s guidance on phishing-resistant authentication is useful context: NIST SP 800-63B.

How to Stop Quishing: Defense in Depth With Multimodal AI

The Barracuda report emphasizes a layered approach. I agree. No single control blocks quishing alone. You need controls that can see images, understand what’s inside them, and test what happens after the scan—across both desktop and mobile flows.

Here are the capabilities to prioritize.

1) Multimodal AI that “sees” images and decodes QR payloads

  • Computer vision to detect the presence and structure of QR codes in images.
  • Decoding capabilities to extract embedded URLs or payloads.
  • Structural analysis to flag pixel-level anomalies consistent with split or nested codes.
  • Correlation across multiple images within the same email to identify composite codes.

This is the critical difference: you’re not just scanning text—you’re analyzing visual content and reconstructing intent.

2) Safe detonation and behavioral analysis

  • Open decoded links in a sandboxed environment.
  • Observe redirects, JavaScript execution, and credential harvesting pages in real time.
  • Identify brand impersonation (e.g., Microsoft) and kit fingerprints.

For Microsoft 365 environments, ensure you’re making full use of Safe Links and related controls: Microsoft Defender for Office 365 Safe Links.

3) Policy-based handling of QR codes in email

  • Flag or quarantine emails that contain QR codes, especially those purporting to reset passwords or verify accounts.
  • Add banners warning users when an email contains a scannable code.
  • Treat QR codes from external senders as high risk by default.

4) Hardening identity and access

  • Enforce phishing-resistant MFA (e.g., FIDO2 security keys or device-bound passkeys) where possible.
  • Restrict legacy authentication and app passwords.
  • Apply conditional access for risky sign-ins and unfamiliar devices.
  • Monitor for suspicious inbox rules and impossible travel.

5) Coverage for mobile scanning flows

  • Use managed mobile browsers and identity-aware proxies to enforce protection even when URLs originate from a scan.
  • Disable auto-open behaviors in QR scanning apps where policy allows.
  • Standardize on trusted scanning apps or browser-native scanners with URL preview features.

6) User reporting and rapid response

  • Add a “Report phishing” button in email clients and on mobile. Encourage reporting of QR-based lures specifically.
  • Build an incident playbook for quishing:
  • Revoke sessions and reset passwords.
  • Check for illicit MFA enrollment.
  • Audit mailbox rules and forwarding.
  • Hunt for similar messages in the tenant.

CISA offers practical guidance on identifying and reporting suspicious emails: CISA: Understanding and reporting suspected phishing emails.

Practical Steps for Security Teams

Let’s turn the strategy into a checklist your team can act on this quarter.

  • Email security
  • Enable image inspection and QR detection features in your secure email gateway (SEG).
  • Configure URL detonation of any decoded QR links.
  • Implement visual brand impersonation detection for Microsoft and other high-value brands.
  • Add a rule: quarantine external emails that contain QR codes and claim to be “password resets,” “MFA enrollment,” or “invoice verification.”
  • Identity and access
  • Enforce MFA for all users; prioritize phishing-resistant methods for admins and finance.
  • Disable legacy auth and app passwords. Review OAuth app consent policies.
  • Configure conditional access baselines and impossible travel alerts.
  • Mobile and endpoint
  • Enforce managed browser usage on mobile for corporate accounts.
  • Require OS and browser updates. Patch aggressively.
  • Use DNS or web proxies that can block malicious destinations even from mobile.
  • Detection and response
  • Create detections for inbox rules that move items to RSS/archives or auto-forward externally.
  • Hunt for traffic to known QR shorteners and suspicious redirect chains.
  • Establish a drill for quishing with response SLAs.
  • Governance and training
  • Update your security awareness modules with a QR-specific section and examples.
  • Publish a policy: “Corporate IT will never send QR codes to reset passwords or verify accounts.”
  • Require vendor invoices and payment changes to be verified via a second channel.

For a broader overview of phishing trends and defenses across the ecosystem, ENISA’s threat coverage is also useful: ENISA Cyber Threats – Phishing.

What to Tell Your Users: The Quishing Quick Guide

Most breaches start with a human decision. Clear guidance, delivered often, saves money and stress.

Share this simple checklist:

  • Be skeptical of any QR code sent by email or chat, especially for:
  • Password resets
  • MFA enrollment
  • Payment or invoice actions
  • Account verification
  • Verify the request via another channel. Don’t scan to “fix” a problem that came out of the blue.
  • If you scan a code, always preview the URL. Does it match the brand exactly? No lookalikes. No subtle typos.
  • Never enter your Microsoft or Google password on a site opened from a QR scan unless you navigated there yourself.
  • Use your company’s official app or bookmarked URL for logins.
  • Report suspicious emails with the “Report phishing” button. When in doubt, report.

CISA’s practical tips on avoiding phishing are a good refresher: CISA: Avoid phishing attacks.

How These Attacks Might Evolve Next

Attackers iterate quickly. Expect more tactics that mix images, CSS, and multi-layer codes to break static scanners. We’ll likely see:

  • More conversation hijacking combined with QR codes for higher trust.
  • Time-based or session-based QR payloads that change after delivery.
  • Increased use of CAPTCHAs and smart bot detection to evade sandboxes.
  • QR codes that trigger device-specific behaviors or mobile deep links.

On the defender side, multimodal detection—vision plus language plus behavior—will become table stakes. Vendors that can prove accurate image understanding and end-to-end detonation will lead.

Evaluating “AI-Powered” Email Protection for Quishing

Many products now claim multimodal or AI-based protection. Here’s how to separate signal from noise:

Ask vendors: – Can your system detect and reconstruct split QR codes across multiple images in one email? – Can it identify nested or overlapping QR codes and flag ambiguity? – Do you decode QR payloads and detonate the resulting URLs in a sandbox? – How do you handle mobile-originated traffic (e.g., scans that open on a phone)? – What are your false positive and false negative rates on image-based phishing? – Can you show me recent quishing samples you detected and blocked? – How quickly do your models adapt to new visual obfuscation techniques? – What privacy and data handling practices apply to image scanning?

A quick note: Google Safe Browsing and similar services are valuable layers, but don’t rely on them alone. See Google Safe Browsing for how the ecosystem helps—but treat it as one control, not the control.

Frequently Asked Questions

How does a “split” QR code bypass security? – Attackers slice a QR code into two images and place them side by side (or overlapped) in the email. Many filters only see two benign images. A human sees a complete code and scans it, triggering the malicious URL.

What is a “nested” QR code? – A nested code layers a malicious QR with a legitimate one. The inner code might go to Google while the outer code goes to a phishing site. Automated scanners get mixed results, so the email slips through.

Does MFA stop quishing? – MFA helps, but not always. Attackers can prompt you to approve fraudulent sign-in attempts or capture session tokens. Use phishing-resistant MFA (like FIDO2 security keys) and lock down legacy authentication. See NIST’s guidance on stronger authenticators: NIST SP 800-63B.

How can I spot a malicious QR code in an email? – Treat any QR code in a password reset, MFA, or payment email as suspicious. Verify via a known-good method (official app, bookmarked login). If you scan, preview the URL and ensure the domain is exact—no typos, subdomains, or lookalikes.

Are QR code scanners safe? – Built-in camera apps are generally safer than third-party scanners, but no app can guarantee a link is good. Always preview the URL and avoid entering credentials after scanning.

What should my company policy say about QR codes? – Keep it simple: IT will never send QR codes for password resets, MFA, or account verification. Employees should use official apps or bookmarked links. Finance teams must validate payment requests via a second channel.

How do I report a quishing attempt? – Use your organization’s phishing report button. If you’re a private individual, you can report cybercrime attempts via your national cyber authority. In the U.S., the FBI’s IC3 portal is a good starting point: ic3.gov.

Is this a brand-new threat? – Quishing isn’t new, but the split and nested techniques described by Barracuda show a fresh level of evasiveness. Expect more image-based obfuscation going forward. Read Barracuda’s analysis here: Barracuda Networks Blog.

The Bottom Line

Attackers are upgrading quishing with split and nested QR codes that slip past legacy defenses. Don’t fight tomorrow’s attacks with yesterday’s tools. Strengthen your stack with multimodal AI that can see images, decode QR payloads, and detonate links safely. Back it up with phishing-resistant MFA, tight identity controls, and simple user rules: never scan a QR code to “fix” your account.

Action steps this week: – Turn on image and QR inspection in your email security. – Quarantine emails that include QR codes for resets, MFA, or payments. – Enforce phishing-resistant MFA for high-risk roles. – Update user training with QR-specific guidance. – Test your defenses with real quishing simulations.

If you found this helpful, consider subscribing for more practical breakdowns of emerging threats and the defenses that actually work. Stay sharp—and don’t let a square of pixels steal your business.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!