QR Code Phishing (Quishing)

How This Attack Works

Quishing attacks embed malicious URLs inside QR code images attached to emails or PDF documents. Because most email security gateways scan text links — not image-encoded URLs — quishing consistently bypasses automated defenses. Victims scan the QR code with their phone, which often lacks corporate security controls, and land on a convincing credential harvest page. Common lures include MFA re-enrollment, parcel delivery confirmation, and account verification.

Red Flags to Watch For

• ✗
  Unexpected email asks you to scan a QR code rather than click a link
• ✗
  Lure claims MFA needs to be re-enrolled via QR code — legitimate IT teams do not do this by email
• ✗
  QR code is embedded in a PDF or image attachment rather than displayed inline
• ✗
  Scanning the code leads to a login page for Microsoft, Google, or your bank
• ✗
  The email arrived from an external sender but claims to be from your IT department
• ✗
  Mobile browser shows a URL you do not recognize after scanning

Known Malicious Domains

These domains have been associated with this attack. Never click links going to these addresses.

• qr-verify-account.comMALICIOUS
• scan-to-confirm-identity.netMALICIOUS
• qr-login-secure.comMALICIOUS
• qr-mfa-challenge.netMALICIOUS

Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.