New Wave of Quishing Attacks Using Weaponized QR Codes Targets Microsoft Users

In October 2025, a sophisticated quishing attack began targeting Microsoft users, exploiting trust in QR code-based processes for authentication and device pairing. This new threat uses malicious emails embedded with QR codes that, when scanned, deliver harmful infostealer binaries.

The first signs of the attack were observed by analysts at Gen Threat Labs, who noticed unusual QR attachments within emails that appeared to come from Microsoft's Office 365 services. Victims who scanned these codes were redirected to a compromised Azure CDN node, which initiated a payload delivery sequence.

Attack Vectors and Execution

The quishing campaign employs various methods to deceive users. One vector involves a phishing email that masquerades as a Microsoft Teams alert, urging users to scan a QR code for resolving a supposed urgent security issue. Another version impersonates an enrollment notification, claiming to offer "enhanced login protection" upon scanning. With many organizations advocating for QR-based multi-factor authentication, these emails seem credible at first glance.

The malicious emails often display Microsoft's familiar logos and correctly formatted links, enhancing the perceived legitimacy and increasing the campaign's success rate. Upon scanning the QR code, users receive a short URL leading to a malicious redirector script. This script performs environmental checks, such as verifying the Windows locale and installed Defender versions, before downloading a packaged infostealer executable.

Infection Process

Once downloaded, the binary initiates by creating a scheduled task named “MSAuthSync,” ensuring it executes each time the user logs on. It extracts credentials and system telemetry, which are then exfiltrated over HTTPS to servers controlled by the attackers.

This quishing attack cleverly evades antivirus detection through an innovative method. Instead of a single QR image, the malicious code is split into two overlapping images drawn via PDF content streams. While standard QR decoders might overlook these nonstandard color palettes and split segments, a custom parser can recombine the image layers for successful decoding.

Evading Detection

The technique of splitting QR images allows these weaponized codes to bypass both static antivirus signatures and superficial visual inspections, emphasizing the necessity for layered security analysis. To defend against such threats, security teams might consider reconstructing and decoding these split QR codes.

The QR code generator employed by attackers underscores the complexity and adaptability of modern cyber threats.

Preventive Measures

Organizations and individuals can take several steps to protect against this type of quishing attack:

• Implement comprehensive email filtering solutions to detect and block phishing attempts.
• Educate employees about the risks associated with scanning unknown QR codes.
• Deploy multi-factor authentication processes that don't rely solely on QR codes.
• Regularly update and patch software to minimize vulnerabilities.
• Conduct routine security audits and penetration testing to identify potential weaknesses.

Conclusion

This recent attack campaign highlights a growing trend in the cybercrime landscape, where traditional phishing techniques are being enhanced with technological innovations like QR codes. As attackers develop more sophisticated methods, organizations must stay vigilant and proactive in their defenses, continually adapting to new threats.

By fostering awareness and deploying comprehensive security measures, users can mitigate the risks posed by these advanced quishing attacks, safeguarding their data and systems from exploitation.