QR Code Quishing Attack: Microsoft Users Targeted -

Post Views: 247

Microsoft users are being targeted by a quishing attack that uses infected emails with weaponized QR codes.

This threat, which first surfaced in early October 2025, takes advantage of users’ confidence in QR-based authentication and device pairing processes to fool them into scanning codes that release infostealer binaries.

When Gen Threat Labs experts discovered unusual QR attachments impersonating Microsoft branding in business Office 365 notifications.

A hacked Azure CDN node carrying a staged payload delivery sequence was the destination for recipients who scanned the codes.

Many infection vectors were found by researchers after they first appeared. One is a phishing email that instructs consumers to scan a QR code in order to fix an urgent security issue, posing as a Microsoft Teams alert.

Gen Threat Labs researchers noted that victims saw familiar Microsoft logos and correctly formatted links, increasing the campaign’s reach and success rate.

The impact spans credential theft and system compromise. Once the QR code is scanned, victims receive a short URL that resolves to a malicious redirector script.

Another poses as an enrollment prompt for Microsoft Authenticator, offering “enhanced login protection” when it is scanned. These lures seem authentic at first because a lot of companies promote QR-based multi-factor setup.

Researchers at Gen Threat Labs observed that victims saw well-known Microsoft logos and well-formatted links, which boosted the campaign’s effectiveness and reach.

The effects extend beyond system breach and credential theft. Victims receive a brief URL that leads to a malicious redirector script after scanning the QR code.

Before downloading a Packaged Infostealer (PI) executable, this script verifies the Windows locale, installed Defender versions, and sandbox indications.

By generating a scheduled task called “MSAuthSync,” which is guaranteed to run at every user login, this program creates persistence. Host telemetry and extracted credentials are exfiltrated to attacker-controlled endpoints via HTTPS.

Infection Mechanism

This quishing attack’s QR code AV evasion approach is a significant advance. The malware divides the code into two overlapping images created using PDF content streams instead of encoding a single QR image.

The custom parser recombines image layers prior to decoding, whereas typical QR decoders disregard nonstandard color palettes and split segments.

The Python snippet that follows shows how a defense could read and rebuild such split QR codes:

from PIL import Image

import zbarlight

# Load the two image layers

layer1 = Image.open(‘qr_part1.png’).convert(‘RGB’)

layer2 = Image.open(‘qr_part2.png’).convert(‘RGB’)

# Recombine by taking the brighter pixel from each

merged = Image.new(‘RGB’, layer1.size)

pixels1, pixels2 = layer1.load(), layer2.load()

for x in range(layer1.width):

for y in range(layer1.height):

pixels = pixels1[x, y] if sum(pixels1[x, y]) > sum(pixels2[x, y]) else pixels2[x, y]

merged.putpixel((x, y), pixels)

# Decode the merged QR code

codes = zbarlight.scan_codes(‘qrcode’, merged)

print(‘Decoded URL:’, codes[0].decode())

This method emphasizes the need for tiered analysis in contemporary phishing efforts by demonstrating how armed QR pictures can avoid both static AV signatures and unsuspecting eye examinations.

About the Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

About Author

daksh kataria

See author's posts