Wave of “QR Phishing” Emails Targets Microsoft 365 Users

By Ash K
Wave of “QR Phishing” Emails Targets Microsoft 365 Users

News • Expert Insights

Wave of “QR Phishing” Emails Targets Microsoft 365 Users

Attackers embed QR codes in PNG images to evade text/URL scanning and redirect victims to credential-harvesting pages.

TL;DR

  • Emails contain PNG images with QR codes that open spoofed Microsoft 365 login pages on mobile devices.
  • Campaigns use geo-aware redirectors and single-use links to reduce detection.
  • Recommended actions: block image-embedded QR codes, enforce phishing-resistant MFA, and enable conditional access.

What’s happening

A growing “quishing” (QR phishing) trend is abusing the fact that many secure email gateways and anti-spam engines focus on scanning text and inline URLs. Attackers send brief messages such as “Action required: password expiration” with a branded PNG image. When the QR code is scanned on a phone, victims are sent through a short-lived redirector to a fake Microsoft 365 sign-in page hosted on compromised sites or newly registered domains.

Tactics & techniques

  • QR code lure: The URL lives only in the code, not the email body.
  • Mobile handoff: Scanning shifts the flow to a personal device that may lack enterprise protections.
  • Short-lived links: Single-use tokens and geo-IP checks frustrate sandboxing and takedown.
  • MFA fatigue follow-up: Some victims are spammed with push prompts after credential capture.

Risk & impact

Successful credential capture can lead to mailbox rules for persistence, internal BEC attempts, and lateral movement into cloud apps via OAuth consent grants. Organizations without conditional access or phishing-resistant MFA face elevated risk.

Recommended mitigations

  1. Harden email controls: Flag or quarantine messages containing image-embedded QR codes from external senders.
  2. Phishing-resistant MFA: Prefer hardware security keys or platform authenticators (FIDO2/WebAuthn).
  3. Conditional access: Require compliant devices and block risky sign-ins; enforce location/device policies.
  4. User education: Train users to distrust QR codes in unsolicited messages and to browse directly to portals.
  5. Monitor mail rules: Alert on auto-forward/hidden rules and anomalous OAuth app grants.

Example indicators (placeholders)

Replace these with verified indicators from your investigations. 

malicious-qr-redirect[.]example
login-secure365[.]example
cdn-assets-qrcode[.]example

Disclosure: This article provides general security guidance and does not describe exploit code or operational instructions.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.