Sophos recently released findings on a new type of threat: quishing attacks. This attack vector uses fraudulent QR codes, embedded in email attachments like PDFs, to bypass traditional phishing defenses.
The embedded QR code often appears in documents mimicking payroll updates, employee benefits, or other official communications.
Scanning the QR code with a mobile device redirects the user to a phishing site designed to steal login credentials and multi-factor authentication (MFA) tokens.
As mobile devices are often less secure than desktops, they become easy targets for such attacks.
“We spent a considerable amount of time sifting through all the spam samples we had to find examples of quishing,” said Andrew Brandt, principal researcher at Sophos X-Ops. “Our research has revealed that attacks that exploit this specific threat vector are intensifying, both in terms of volume and sophistication, especially when it comes to the appearance of the PDF document.”
How Quishing Attacks Work
Quishing attacks combine social engineering with technical sophistication. Attackers craft emails with convincing language, professional-looking attachments, and well-designed QR codes.
Also Read: SOPHOS warns of new hacking tactic targeting specific Google searches
Some malicious actors now even offer phishing-as-a-service platforms. These tools include:
- CAPTCHA bypass features.
- Proxies to mask IP addresses.
- Systems for capturing login credentials and MFA tokens.
These services enable attackers to run large-scale campaigns and bypass traditional email security measures.
How to Protect Against Quishing
Sophos X-Ops researchers recommend the following steps to guard against quishing:
- Scrutinize HR-related emails: Emails about salaries, benefits, or internal updates are prime targets for social engineering. Avoid scanning QR codes from such emails without verifying their authenticity.
- Secure QR code scanning: Solutions like Sophos Intercept X for Mobile can identify phishing URLs embedded in QR codes.
- Monitor login activity: Use identity management tools to flag unusual or risky sign-ins.
- Enable Conditional Access: Control access based on device status, location, and activity risk.
- Detailed logging and monitoring: Advanced logs help track and analyze access patterns to identify suspicious activity.
- Deploy email filtering: Tools like Sophos’ QR code phishing protection detect fraudulent QR codes in emails. Updates in 2025 will extend this to attachments.
- Train employees to report anomalies: Prompt reporting helps mitigate risks before they escalate.
- Revoke suspicious sessions: Have a process for terminating access to accounts showing signs of compromise.
Andrew Brandt highlighted the need for vigilance, noting that “the quality of emails, attachments and QR code graphics” continues to improve, making quishing attacks harder to detect.
Mobile devices continue to be targets for these attacks. Companies need proper tools, clear security rules, and reliable security partners to stop quishing attempts before they succeed.
