Advanced phishing

The evolution of QR code phishing: Unmasking new 'quishing' tactics

by Jack Chapman
Published on 30th May 2024

The ‘quishing’ boom

Research has revealed that since 2021 there has been a material increase in QR code phishing (or ‘quishing’), as cybercriminals continue to exploit available technology and their widespread familiarity.

The once rare payload is nearly fourteen times more common in 2024 than it was three years ago, accounting for only 0.8% of attacks in 2021. This figure jumped to 1.4% in 2022, a staggering 12.4% in 2023, and has plateaued at 10.8% from January to March 2024.

Any new payload plays into the constant game of cat and mouse between attackers and organizations, as cybercriminals leverage phishing techniques that reap the highest rewards until these methods start to become less effective. Following any notable uptick in new payloads, Cybersecurity leaders start to implement more effective defenses to combat the attacks, forcing attackers to revert to old tactics or find different avenues to exploit.

For quishing, this meant a move away from traditional detection solutions towards advanced Integrated Cloud Email Security (ICES) vendors, as many secure email gateways (SEG) still do not have the technical capabilities to identify QR codes within the body of an email.  

This investment may explain the slight decline in quishing at the beginning of 2024 (in addition to the lack of a full year's worth of data so far). However, this doesn’t mean they are disappearing from inboxes just yet. Despite the fact more and more organizations are introducing sophisticated technology to identify quishing, attackers are attempting to use obfuscation techniques to conceal QR codes from detection. But how are adversaries masking QR codes and is it really working?

Obfuscation of QR codes in 2024

The age-old question – does size really matter?

In an effort to bypass SEG and ICES technology, cybercriminals have been experimenting with the size of QR codes in their attacks to determine whether this influences deliverability.

In the example below provided by Egress’ Threat Intelligence team, we can see a phishing email impersonating DocuSign (the most impersonated brand so far in 2024), inducing the recipient to use their mobile phone to scan the larger-than-average QR code and open what appears to be a ‘Funds Settlement Agreement’. In reality, this would lead the recipient to a fake DocuSign login portal where the cybercriminal is then able to steal the individuals' credentials to sell or use in further attacks.

Cybercriminals’ ultimate aim when changing the size is to assess whether this has any effect on detection rates, whilst ensuring it can still be scanned. However, whether larger or smaller, altering the size of a QR code has had very little success in evading detection, as can be seen in the example below.

Screenshot of a QR code attack that uses a large QR code on a dark blue background, with anti-phishing banners applied by Egress Defend.

Color-swapped QR codes

Threat actors have also been experimenting with changing the colors of QR codes and their backgrounds. In the example above, instead of the standard white background, they have used dark blue in line with DocuSigns branding to see whether this makes it more difficult for software to distinguish where the anchors (the corner boxes) of the code are and extract the underlying link.

In another instance, as shown in the screenshot below, cybercriminals have gone one step further by changing the color of the QR code itself. When our Threat Intelligence team tested these through several QR code libraries, the alteration of color had slightly more success evading detection than changing the size.  

Screenshot of a QR code attack that uses a QR code which fades from black to blue.

Hiding the QR code within attachments

Having exhausted their options of how to mask the QR codes in the body of the email, some threat actors have resorted to attaching the code in .jpg, .png, or .gif files, which display the code once opened. Detecting this method requires advanced technologies that can scan the information contained in the attachment and analyze the social engineering techniques in the email body to identify it as malicious.

Screenshot of a QR code attack that has a QR code attached within a .png file, with anti-phishing banners applied by Egress Defend.

Aware of the growing capabilities of technologies to inspect attachments, cybercriminals have begun to password-protect attachments, aiming to make it difficult for software to access the QR code within. It then becomes imperative that technologies take a holistic view of the email as a whole, taking into account the sender domain and the body of the email. In the below example, linguistic analysis picked up on the confidential and financial nature of the attachment, combined with the social engineering techniques leveraged to persuade the recipient to open the attachment. 

Screenshot of a QR code attack that has a QR code attached as a password protected PDF file, with anti-phishing banners applied by Egress Defend.

In another attempt to avoid detection, threat actors are attaching macro-enabled Excel files that automatically run various functions when opened. When the Excel attachment is clicked and opened, the macros automatically run the CONCAT function, which joins different cells in the spreadsheet. These cells all contain parts of a single URL that, once put together, form the malicious underlying link of the QR code. When the full URL is formed, another macro-enabled function will automatically generate a QR code from the link, as shown in the example created by our Threat Intelligence team below.

Screenshot of a QR code generated in Excel, produced by the Egress Threat Intelligence team.

This is perhaps the most advanced obfuscation techniques cybercriminals have utilized to mask QR codes because most detection technologies won’t be able to analyze the disjointed elements of the malicious URL or identify what macros are enabled (and ultimately what automatic functions will occur once the file is opened).

However, as many Cybersecurity leaders will agree, any macro-enabled file sent over email should be treated with caution and they may ring alarm bells to the recipient; especially since Microsoft now disables all macros and requires them to be manually enabled by the user. However, this only requires one click and individuals are likely to become desensitized to this – quickly and instinctively clicking the familiar ‘enable’ button when they’re working on autopilot.

 Therefore, it’s important that organizations use detection technologies that utilize linguistic and attachment analysis in tandem, as it would likely flag this sort of email as malicious due to the combination of a suspicious file and social engineering techniques persuading the recipient to open the attachment.

As cybercriminals produce more out-of-the-box ways to obfuscate their QR codes, the more suspicious they become to the recipient. Whether it's experimenting with size, color, or embedding QR codes within password-protected or macro-enabled attachments, these increasingly complex techniques often serve as red flags to vigilant recipients, who are ultimately the ones who must scan them for the attack to be successful. The very act of obfuscation, intended to bypass detection technologies, tends to arouse suspicion and caution, reinforcing the importance of skepticism and critical evaluation of unexpected QR codes in emails.

Threat intelligence predictions on QR code payloads in 2024

As is the case with any new payload and obfuscation technique, we can expect to see fluctuations in popularity over time. James Dyer, Threat Intelligence Lead at Egress, predicts:

“While we’re likely to see QR codes in phishing attacks for the time being, we anticipate that this may decline later in 2024. Following several unsuccessful attempts to mask QR codes from detection, cybercriminals may pivot back to traditional phishing techniques or pursue new methods, meaning we may see less ‘quishing’ attempts targeting our inboxes. With that said, organizations must remain vigilant, ensuring they leverage sophisticated technology capable of detecting and neutralizing malicious QR codes that persist in the threat landscape.”

Ultimately, the identification and prevention of ‘quishing’ and any associated obfuscation techniques requires organizations to employ advanced ICES software. Egress Defend takes a holistic approach to detection, using AI and zero-trust models, including attachment scanning, and linguistic, contextual and behavioral analysis to detect and neutralize emerging threats like zero-day attacks and ‘quishing’.