Detecting QR Code Phishing with Email Security

Overview

QR code phishing (quishing) is a rapidly growing attack vector where malicious URLs are embedded in QR code images within phishing emails. Quishing incidents grew fivefold from 46,000 to 250,000 between August and November 2025, with credential phishing comprising 89.3% of detected incidents. Traditional email security filters struggle because QR codes cannot be read by humans or standard URL scanners, and when scanned, users typically use personal mobile devices that lack corporate security controls. Attackers have evolved to use split QR codes (two separate images), nested QR codes, and ASCII text-based QR codes to evade detection.

When to Use

• When investigating security incidents that require detecting qr code phishing with email security
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Prerequisites

• Email security gateway with image analysis capabilities
• Understanding of QR code structure and encoding
• Mobile device management (MDM) or mobile threat defense solution
• Security awareness training program
• SIEM platform for correlation and alerting