QR code phishing exploits a straightforward gap in email security architecture: most scanning tools analyse URLs in email body text and HTML. A QR code is an image. The URL encoded in that image is not examined by most email security solutions unless they include specific QR code scanning capability.
How Quishing Works
The attacker sends an email with a QR code — often styled as a security notification, MFA setup request, or document sharing link. The victim scans the QR code with their phone. The phone's browser opens the malicious URL — often an adversary-in-the-middle proxy that captures Microsoft 365 credentials and session tokens in real time.
Why Mobile Devices Amplify the Risk
Corporate desktop environments typically have endpoint security, conditional access policies, and managed browser configurations. Personal mobile phones — even enrolled in MDM — may not have the same security controls applied. The attacker routes the phishing through a device with weaker defences.
Mitigations
Enable QR code scanning in your email security platform — Defender for Office 365 has this capability via Safe Links. Apply Conditional Access policies that assess device compliance and block access from non-compliant devices, including mobile. Train staff to be suspicious of any QR code received via email, particularly those requesting authentication.
Can Conditional Access prevent quishing attacks?
Conditional Access with device compliance requirements significantly raises the bar. Even if a credential and session token are captured, a Conditional Access policy requiring a compliant enrolled device will block the attacker's browser from completing authentication. This is why phishing-resistant MFA combined with device compliance is more robust than MFA alone.
