In the ever-shifting landscape of cyber threats, attackers are constantly seeking "blind spots" in traditional security architecture. While we have spent the last two decades training users to spot suspicious links and perfecting text-based email filters, a new variant of social engineering has quietly surged to the forefront of corporate risk: Quishing.
A portmanteau of "QR" and "Phishing", quishing represents a structural shift in how malicious payloads are delivered. By embedding a malicious URL inside a QR code image rather than a clickable link, attackers are successfully bypassing the first-generation security filters that most businesses still rely on today.
Why QR Codes are the Perfect Lure
The popularity of QR codes exploded during the pandemic, becoming the standard for everything from restaurant menus to conference check-ins and parking payments. For most of us, scanning a code has become an automatic, trusted action. Cybercriminals are now weaponising this "learned trust".
According to the latest Cyber Security Breaches Survey 2025/2026, phishing remains the primary entry point for data breaches. However, quishing adds a unique layer of complexity. When an employee scans a malicious QR code on their work laptop or within a company email, they almost always use their personal smartphone to do so.
This is a deliberate tactical choice by the attacker. By shifting the attack from a managed corporate workstation to an unmanaged personal device, they achieve three critical objectives:
- Bypassing Endpoint Protection: Most personal phones lack the enterprise-grade antivirus and EDR tools found on company laptops.
- Evading DNS Filtering: The phone typically uses a mobile data connection or home Wi-Fi, bypassing the corporate firewall and DNS security layers that might have blocked the malicious site.
- Hiding the Destination: Unlike a standard link, where you can hover your mouse to "peek" at the URL, a QR code provides no immediate visual cue of its destination until the scan is already complete.
The Technical Blind Spot
The reason quishing is so successful is that most legacy Secure Email Gateways (SEGs) are essentially "literate" but "blind". They are designed to parse text, follow HTML links, and scan file attachments for signatures. To these older systems, a QR code is simply a harmless image—a collection of black and white pixels with no inherent "meaning".
Attackers exploit this by sending emails that mirror standard corporate communications: mandatory HR policy updates, Microsoft 365 MFA reset requests, or urgent invoices. Because the actual "malicious" part of the email is inside the image data, the message clears the gateway’s text-parsing filters and lands in the user's inbox with a "Clean" bill of health.
How MailShield Sees What Others Miss
At CADMUS, we recognised early on that perimeter defence must evolve beyond simple text analysis. MailShield SEG was architected with a "Visual First" security philosophy to close exactly this kind of detection gap.
Our gateway doesn't just read the text of an email; it "looks" at it. Here is how MailShield protects your network from quishing:
1. Optical Character Recognition (OCR) & Image Analysis As every email hits the perimeter, MailShield’s engine performs deep image scanning. It automatically extracts any QR codes found in the body of the email or inside attachments (like PDFs and Word docs). It "reads" the code just as a smartphone would, but it does so in a safe, isolated environment.
2. Malicious URL Correlation Once a link is extracted from a QR code, it is immediately compared against our global threat intelligence feed. If the code points to a known credential-harvesting site or a suspicious, newly registered domain (often registered only minutes before the attack), the email is instantly quarantined.
3. Secure Sandbox Inspection If the destination is unknown or obfuscated, MailShield triggers its secure sandbox. The system follows the link and inspects the final landing page for suspicious elements, such as pixel-perfect clones of the Microsoft 365 or Google Workspace login screens. If the "What" at the end of the code is malicious, the email never reaches your user.
Best Practices for Your Team
While technological interception is the only scalable defence—given that 73% of users scan QR codes without verifying the destination—maintaining a culture of "Healthy Scepticism" is still vital:
- Treat QR Codes Like Links: If you wouldn't click a link in an unsolicited email, don't scan a QR code either.
- Verify the Source: If an "Urgent IT Update" comes with a QR code, call your IT department or use your known support portal instead of scanning.
- Check the URL: Most modern smartphone cameras provide a small preview of the URL before you click to open it. If it looks like a string of random characters or doesn't match the company it claims to be from, stop.
Quishing is a sophisticated evolution of a classic threat, but it relies on a gap in traditional filtering. By implementing a gateway that understands the visual nature of modern attacks, you ensure that your organisation remains a difficult target.