{
	"id": "b980755c-c592-4b37-81bb-906d2fb49a4e",
	"created_at": "2026-04-06T00:07:29.533622Z",
	"updated_at": "2026-04-10T03:21:11.251468Z",
	"deleted_at": null,
	"sha1_hash": "27f1fbc2246491ce8ece5d0398c7431bd724dc32",
	"title": "QR Code Phishing Emails: Early Detection | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 433436,
	"plain_text": "QR Code Phishing Emails: Early Detection | Proofpoint US\r\nBy October 04, 2023 Tim Bedard and Tyler Johnson\r\nPublished: 2023-10-03 · Archived: 2026-04-05 19:18:13 UTC\r\nThis blog post is part of a monthly series exploring the ever-evolving tactics of today’s cyber criminals.\r\nCybersecurity Stop of the Month focuses on the critical first steps in the attack chain—reconnaissance and initial\r\ncompromise—in the context of email threats.\r\nThe series is designed to help you understand how to fortify your defenses to protect people and defend data\r\nagainst emerging threats in today’s dynamic threat landscape.\r\nThe first two steps of the attack chain: reconnaissance and initial compromise.\r\nIn our past installments, we have covered supplier compromise, EvilProxy, SocGholish and e-signature phishing.\r\nAll of these are examples of threats we regularly detect for our customers before they’re delivered to users. In this\r\npost, we explore a recent detection of a phishing attack in which the URL was encoded into a QR code. We’ll also\r\nexplore the mechanisms employed by our AI-driven detection stack that ultimately prevented the email from\r\nreaching the inbox of its intended target.\r\nThe scenario\r\nPhishing, especially credential phishing, is today’s top threat. Bad actors constantly devise new methods and tools\r\nto gain authenticated access to users’ accounts. This illicit entry often results in financial loss, data breaches and\r\nsupplier account compromise that leads to further attacks.\r\nWe recently detected a phishing attack hidden behind a QR code at an agriculture company with more than 16,000\r\nemployees. Fortunately, our Aegis platform detected the threats and broke the attack chain.\r\nIn this scenario, a threat actor crafted a phishing lure purporting to contain completed documentation about the\r\ntarget’s wages. Instead of including a link for the target to click, the bad actor created a QR code phishing email\r\nscam instructing the recipient to scan with their mobile phone’s camera to review the documentation. Once\r\nscanned, a fake SharePoint login screen prompts the user to provide credentials.\r\nQR Code phishing emails (quishing) represent a new and challenging threat. It moves the attack channel from the\r\nprotected email environment to the user’s mobile device, which is often less secure. With QR code phishing\r\nemails, the URL isn’t exposed within the body of the email. This approach renders most email security scans\r\nhttps://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing\r\nPage 1 of 6\n\nineffective. What’s more, decoding QR code phishing email scams using image recognition or optical character\r\nrecognition (OCR) quickly becomes resource-intensive and difficult to scale.\r\nThe Threat: How did the attack happen?\r\nHere is a closer look at how the recent attack unfolded:\r\n1. The deceptive message: An email claiming to contain employee payroll information sent from the\r\norganization’s human resources department.\r\nMalicious email blocked by Proofpoint before it was delivered to the user's mailbox. (Note: For safety, we\r\nreplaced the malicious QR code with one linking to Proofpoint.com. The rest of the message is a redacted\r\nscreenshot of the original.)\r\n2. QR Code Attack Sequence: The recipient is instructed to scan the QR code with their mobile device.\r\nhttps://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing\r\nPage 2 of 6\n\nTypical QR Code Attack Sequence for Phishing.\r\n3. SharePoint phishing lure: Once the user decodes the URL, a fake SharePoint login screen tries to fool the\r\nrecipient into entering credentials.\r\nDecoded QR code redirecting to an example SharePoint phishing page.\r\nDetection: How did Proofpoint detect the attack?\r\nQR Code phishing email scams are challenging to detect. First, the phishing URL isn’t easy to extract and scan\r\nfrom the QR code. And most benign email signatures contain logos, links to social media outlets embedded within\r\nimages and even QR codes pointing to legitimate websites. So the presence of a QR code by itself isn’t a sure sign\r\nof phishing.\r\nWe employ an advanced blend of signals and layers of analysis to distinguish between weaponized and benign QR\r\ncodes. We analyze and profile:\r\nhttps://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing\r\nPage 3 of 6\n\nThe sender\r\nThe sender’s patterns\r\nThe relationship of the sender and recipient based on past communication\r\nThose clues help identify suspicious senders and whether they are acting in a way that deviates from an\r\nestablished profile. In this example, our systems had never before seen this sender communicate to this\r\norganization or recipient. Our platform proactively identified this new threat.\r\nSignals our Aegis platform used to condemn the message as a threat.\r\nBy itself, uncommon sender patterns are a weak basis for condemning the message. Using patterns alone can\r\nresult in falsely classifying a benign message as bad. That’s often the case with email security tools that try to\r\naddress threats post-delivery.\r\nTo reduce the number of false positives, we combine a multitude of signals to extract the theme nature and\r\nmetonym of the email’s content. (A metonym is a word or phrase used to represent something else, such as “the\r\ncrown” for British royalty. This kind of analysis enables our platform to infer the sender’s intent no matter what\r\nwords the sender uses to phrase it.) We analyze the sender’s email history along with a linguistic and semantic\r\nhttps://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing\r\nPage 4 of 6\n\nanalysis of the email’s body. Using this approach, our platform identified language that revealed the email was\r\nasking the recipient to take action—in this case, to scan a QR code with their mobile device.\r\nOutside of the behavioral and language analysis, we also detected deception tactics within the headers of the\r\nmessage. Even when passing email authentication, bad actors try to spoof trusted entities or other employees. In\r\nthis case, the bad actors crafted the email headers to appear to be from the employer’s HR and payroll team. This\r\ntactic is meant to foster the recipient’s trust.\r\nAI-driven machine learning and behavioral AI play a pivotal role in our ability to detect all kinds of threats. Here,\r\nour detection engines caught this threat based on message-level indicators.\r\nBut we went a step further—and deeper—by analyzing the QR code. By using the OCR and image recognition\r\ntechnology in our detection engines, we scanned and condemned malicious URLs hidden within the QR code\r\nitself. We extract both URLs and text to ensure that any messages that should be delivered are delivered and those\r\nthat shouldn’t be are blocked or remediated.\r\nRemediation: What are the lessons learned?\r\nTo safeguard against threats such as QR-code scams, phishing, and other socially engineered threats, we\r\nrecommend the following:\r\nUser education: Your employees and customers are your first line of defense. Make sure they get security\r\nawareness education about all types of phishing attacks. Topics should include deceptive emails and fake\r\nlogin pages. This can greatly reduce their chances of being a victim.\r\nAccount takeover protection: A good cloud security platform can identify account takeover (ATO)\r\nattacks and prevent unauthorized access to your sensitive cloud resources. This security control should\r\ncover both initial- and post-compromise activities. And it should let your security team get a closer look\r\ninto which services and applications are being abused by attackers. Make sure to look for a solution that\r\nautomates remediation. This reduces attackers' dwell time and keeps damages to a minimum.\r\nSupply chain protection: Defend your organization from emails sent from potentially compromised\r\nvendors and partners. Proofpoint Supplier Threat Protection uses advanced AI and the latest threat\r\nintelligence to detect the supplier accounts that have been compromised and prioritize any that should be\r\ninvestigated.\r\nMultifactor authentication (MFA): Strong authentication measures such as MFA can boost to your\r\nsecurity posture. But MFA is no silver bullet; a growing number of attacks shows how traditional MFA\r\napproaches can fail. That’s why cloud-based ATO automated tools, which can promptly remediate these\r\ntypes of incident, are critical.\r\nPre-delivery email security: Preventing and blocking messages is the only sure way to keep users safe.\r\nWhy is this so important? Because nearly 1 in 7 malicious URLs are clicked on in less than one minute,\r\naccording to our research. Your organization needs a cybersecurity solution that uses a both machine\r\nlearning and advanced threat detection to identify and stop these threats, such as the Proofpoint Aegis\r\nthreat protection platform. Post-delivery email security tools claim to detect these threats. But even when\r\nthey do, they do so later in the attack chain—after the threat is already in users’ inboxes. A post-delivery\r\napproach exposes users and your organization to threats until it is remediated from the inbox.\r\nhttps://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing\r\nPage 5 of 6\n\nBreak the attack chain with Proofpoint\r\nBad actors continue to find new and creative methods to skirt existing security solutions. QR code phishing email\r\nscams are just the latest reminder of the critical need for multi-layered and robust cybersecurity measures. In\r\ntoday's world of sophisticated cyber threats, organizations must be vigilant and proactive in protecting themselves\r\nand their customers.\r\nTo stay ahead of these evolving dangers, you need a comprehensive approach to protecting against threats\r\ntargeting your people. Pre-delivery detection and protection combined with post-delivery automated remediation\r\nand user awareness are essential. Unlike post-delivery email security tools, we stop attacks farther up the attack\r\nchain, before messages get delivered to the inbox.\r\nTo learn how to protect yourself against threats like SaaS app phishing, download our e-book, The Definitive\r\nEmail Cybersecurity Strategy Guide.\r\nSource: https://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing\r\nhttps://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing"
	],
	"report_names": [
		"cybersecurity-stop-month-qr-code-phishing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434049,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/27f1fbc2246491ce8ece5d0398c7431bd724dc32.pdf",
		"text": "https://archive.orkl.eu/27f1fbc2246491ce8ece5d0398c7431bd724dc32.txt",
		"img": "https://archive.orkl.eu/27f1fbc2246491ce8ece5d0398c7431bd724dc32.jpg"
	}
}