From QR Code To Compromise: The Growing Threat Of “Quishing”

Sophos has released the results of Sophos X-Ops research on a new type of threat: quishing. This new attack vector involves the use of fraudulent QR codes, emailed by threat actors, to bypass the phishing security measures put in place by companies.

This fraudulent QR code, embedded in a PDF document attached to an email, takes the form of a message about payroll, employee benefits, or other forms of official paperwork a business might send to an employee. Because QR codes are not readable by computers, the employee must scan the QR code using their mobile phone. The QR code links to a phishing page, which the employee may not recognise as malicious since phones usually are less protected than a computer. The goal of the attackers is to capture employees’ passwords and their multi-factor authentication (MFA) tokens in order to access a company’s system by bypassing the security measures in place.

“We spent a considerable amount of time sifting through all the spam samples we had to find examples of quishing,” comments Andrew Brandt, principal researcher at Sophos X-Ops. “Our research has revealed that attacks that exploit this specific threat vector are intensifying, both in terms of volume and sophistication, especially when it comes to the appearance of the PDF document.

In addition to social engineering tactics, the quality of emails, attachments and QR code graphics, these attacks seem to be growing in terms of organisation as well. Indeed, some malicious actors now offer as-a-service tools to run phishing campaigns using fraudulent QR codes. In addition to features such as CAPTCHA bypasses or the generation of IP address proxies to bypass automated threat detection, these criminal organisations provide a sophisticated phishing platform that can capture the credentials or MFA tokens of targeted individuals.

To encourage organisations to better protect systems against this type of attack, Sophos X-Ops shares a list of recommendations:

  • Be vigilant about internal emails about HR topics, salaries or company benefits: Sophos X-Ops’ research has found that social engineering tricks exploit these themes to trick employees into scanning fraudulent QR codes from their mobile devices.
  • Install Sophos Intercept X for Mobile: Available on Android, iOS and Chrome OS, this solution includes a secure QR code scanner that helps identify known phishing websites and alert if the URL is considered malicious.
  • Monitor risky sign-ins: Using identity management tools, organisations can detect unusual sign-in activity.
  • Enable Conditional Access: This feature helps enforce access controls based on the user’s location, device status and risk.
  • Enable effective access monitoring thanks to sophisticated logs: this type of advanced monitoring allows you to better visualise all access to the system and detect this type of threat in time.
  • Implement advanced email filtering:  Sophos’ QR code phishing protection solution detects fraudulent QR codes included directly in emails and plans to expand its solution to QR codes in attachments as early as the first quarter of 2025.
  • Leverage on-demand email retrieval: Sophos Central Email customers who use Microsoft 365 have this feature to eliminate spam or phishing emails from corporate emails.
  • Encourage employees to be vigilant and report incidents: Prompt reporting of anomalies to the incident response team is essential to protect company systems from phishing.
  • Revoke suspicious user sessions: It is imperative to have a plan in place to revoke user access that shows signs of compromise.

Despite the continuous development of new attack vectors, organisations can protect themselves from compromised systems by equipping themselves with the right tools, fostering a culture and work environment, and surrounding themselves with security vendors, like Sophos.