Cybercriminals are deploying increasingly sophisticated QR code phishing attacks, known as “quishing,” using advanced evasion techniques that bypass traditional security measures and exploit the ubiquity of mobile scanning.
Security researchers have identified two novel attack methods, split QR codes and nested QR-in-QR techniques, that demonstrate how attackers continue to evolve their tactics to circumvent detection systems.
Split QR Codes Evade Security Scanners
The Gabagool phishing-as-a-service (PhaaS) platform has introduced a technique that divides malicious QR codes into two separate images embedded within phishing emails.
When traditional email security solutions scan these messages, they identify two distinct and seemingly benign images rather than recognizing the complete QR code threat. This fragmentation approach allows the malicious payload to remain hidden from conventional detection mechanisms.
Barracuda threat analysts recently discovered Gabagool attackers implementing this split QR code technique in a Microsoft password reset scam.
The attackers utilized highly tailored messages, suggesting they had previously executed successful conversation hijacking attacks against their targets.
While the QR code appears complete to recipients, analysis of the HTML reveals it comprises two different images that combine to form a functional code directing victims to credential-harvesting phishing pages.
Nested QR Codes Create Detection Ambiguity
The Tycoon 2FA PhaaS platform has deployed another evasion technique involving nested QR codes, where malicious codes are embedded within or around legitimate QR codes.
This method creates detection ambiguity by presenting scanners with conflicting results, the outer QR code points to a malicious URL, while the inner code leads to legitimate destinations like Google. The overlapping structure complicates automated analysis and can fool both security systems and users.
Advanced Defense Strategies Required
These evolving attack vectors highlight the limitations of traditional security measures and the necessity for multilayered protection strategies. Organizations must implement comprehensive defenses including security awareness training, multifactor authentication, and robust spam filters.
However, the most effective approach involves deploying multimodal AI capabilities that can render attachment images to visually locate QR codes, decode their content, analyze destination URLs, and execute suspicious links in sandbox environments.
Multimodal AI systems enhance detection by using machine learning to analyze QR code structure and pixel patterns without requiring content extraction.
Barracuda’s multimodal AI combines OCR, deep image processing, and natural language models to detect image-based phishing emails, even those containing only QR codes.
As attackers continue innovating their quishing techniques, security solutions must evolve correspondingly to protect against these sophisticated social engineering attacks that exploit both technological vulnerabilities and human trust in everyday digital interactions.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=QR Code Hacks - Cybercriminals are deploying increasingly sophisticated QR code phishing attacks, known as "quishing," using advanced.){kind=link}