Attackers have started using split QR codes and nested QR codes to evade email security filters, making it harder to detect QR code phishing (quishing) and making it significantly easier to dupe end users.
Quick Summary – TLDR:
- Threat actors are now using advanced QR code phishing techniques to conceal malicious payloads and bypass email security filters.
- Campaigns often rely on the Gabagool and Tycoon phishing-as-a-service (PhaaS) kits, suggesting these techniques are now commercialized and widely available.
- Attackers impersonate Microsoft password reset notices, luring victims into scanning the codes with their mobile devices.
What Happened?
Security researchers are warning against a new wave of QR code phishing attacks targeting Microsoft credentials. Two new techniques are being used that make detection more difficult compared to earlier campaigns:
- Split QR codes: a single QR code divided into multiple images to evade detection
- Nested QR codes: one QR code embedded inside another to confuse email scanners
While the delivery method is more advanced, the lure and end goal remain the same. Attackers want to trick the victim into scanning the QR code and entering their credentials into a spoofed Microsoft login page controlled by the adversary.
A Closer Look at the Split QR Code Technique
The split QR code technique is one of the most innovative ones we’ve seen with this campaign. It is even supported by the Gabagool phishing kit, which is actively sold on the Dark Web.
Instead of embedding a single QR code image in the phishing email, the Gabagool kit automatically divides the QR code into two separate image files (PNG or JPEG).
Because email scanners treat each image as unique, they can’t detect the full QR code pattern and fail to detect the malicious payload. Humans also can’t spot anything unusual, because the two halves appear perfectly aligned and look just like a normal QR code.
How QR Code Nesting Works
Another evasive method observed in this campaign is QR nesting, which is associated with the Tycoon phishing kit. In this technique, attackers embed one QR code inside another. The outer one typically contains the malicious payload (often a link to a credential-harvesting site), while the other one is harmless, encoding a benign URL or simple text.
In an example analyzed by Barracuda, the inner QR code directed to Google, adding a layer of legitimacy that further misleads automated filters.
This tactic exploits the way email scanners interpret QR images. Most only decode the inner, harmless code and mark the message as safe. On the other hand, mobile devices that victims use tend to read the full outer layer, which redirects them to the malicious site.
The Dark Web Economy Driving Quishing
This campaign is not an isolated case. Phishing kits like Gabagool and Tycoon are just a tiny part of a growing Dark Web marketplace that actively promotes advanced and innovative phishing and QR-based evasion features for a minimal fee.
Telegram channels also serve as a major distribution hub, thanks to their anonymity, lack of censorship, and easy access to hundreds of willing buyers and sellers.
Such services drastically reduce the barrier to entry, driving wider adoption of QR-based phishing across both low-skill and experienced cybercriminals.
What This Campaign Signals for Email Security
This campaign highlights a growing blind spot in email security. Image-based payloads are not something that most email filters can handle, leaving many organizations without meaningful tech-based protection against QR-based phishing attempts. Regularly training the workforce to be aware of the latest attack methods remains the only effective defense.
By pushing victims onto their phones, attackers also sidestep corporate protections like sandboxing and browser isolation. This shows that business email security can no longer operate in isolation from personal mobile device risk, and organizations must account for the fact that phishing now routinely spans multiple platforms.
Additionally, more advanced, multimodal detection will be key to identifying image-encoded payloads like split and nested QR codes before they ever reach the inbox.
SQ Magazine Takeaway
Quishing is no longer an anomaly in a sea of traditional email phishing. It’s a very real threat with massive adoption across the cybercriminal underworld, largely due to the commercialization of quishing tools. Industry reports show QR codes in phishing campaigns have grown tenfold, making it one of the fastest-expanding phishing techniques in circulation.
Defenders need to start treating QR-based attacks with the same seriousness as traditional phishing by upgrading detection capabilities and favoring security awareness programs that use up-to-date, dynamic, personalized content.
