QR code exploits a straightforward gap in email security architecture: most scanning tools analyse URLs in email body text and HTML. A QR code is an image. The URL encoded in that image is not examined by most email security solutions unless they include specific QR code scanning capability.
How Quishing Works
The attacker sends an email with a QR code — often styled as a security notification, setup request, or document sharing link. The victim scans the QR code with their phone. The phone's browser opens the malicious URL — often an adversary-in-the-middle proxy that captures credentials and session tokens in real time.
Why Mobile Devices Amplify the Risk
Corporate desktop environments typically have endpoint security, , and managed browser configurations. Personal mobile phones — even enrolled in — may not have the same security controls applied. The attacker routes the phishing through a device with weaker defences.
Mitigations
Enable QR code scanning in your email security platform — has this capability via Safe Links. Apply Conditional Access policies that assess device compliance and block access from non-compliant devices, including mobile. Train staff to be suspicious of any QR code received via email, particularly those requesting authentication.
Can Conditional Access prevent quishing attacks?
Conditional Access with device compliance requirements significantly raises the bar. Even if a credential and session token are captured, a Conditional Access policy requiring a compliant enrolled device will block the attacker's browser from completing authentication. This is why phishing-resistant MFA combined with device compliance is more robust than MFA alone.



