A sophisticated quishing campaign leveraging weaponized QR codes has been uncovered, specifically targeting Microsoft users with seemingly innocuous document review requests.
By exploiting advanced evasion techniques—splitting the QR code into two separate images, using non-standard color palettes, and drawing the code directly via PDF content streams—attackers are able to bypass traditional antivirus and PDF-scanning defenses.
This new wave of quishing underscores the evolving threat landscape and highlights the need for heightened user vigilance when interacting with digital documents.
The campaign begins with a phishing email that appears to come from DocuSign, informing recipients they have received a document to review and sign.
The email body includes a QR code rendered in an eye-catching but non-standard color spectrum, making it blend into the document’s design while thwarting conventional QR-scanner heuristics.
Analysis reveals the QR code is not a single raster image but is instead partitioned into two image objects within the PDF file. Each half of the code is rendered independently, then positioned to appear as one cohesive QR pattern when viewed.
This splitting technique evades signature-based detection systems, which typically search for full-image QR patterns.
Furthermore, instead of embedding the QR code as a standard image, the attackers draw the QR modules programmatically using the PDF content-stream commands.
By issuing precise drawing instructions for each dark and light module, they avoid embedding any recognizable QR image file.
This content-stream approach renders the code accurately for human viewers and mobile camera scanners but completely bypasses scanners that rely on image extraction. The result is a highly resilient delivery mechanism that can slip past many PDF security filters undetected.
The Attack Workflow and Payload Delivery
Once a user scans the deceptive QR code with a smartphone or tablet, they are redirected to a counterfeit Microsoft login page hosted on a domain designed to mimic the official Microsoft portal.
The page features a polished interface with legitimate Microsoft branding, requesting users to enter their credentials for “secure document access.” Captured credentials are exfiltrated in real time, enabling threat actors to gain unauthorized entry to corporate email, OneDrive documents, and other Microsoft cloud services.
Post-credential theft, attackers may deploy multifactor bypass simulations, sending push-notification prompts to users or subtly altering account settings to maintain persistence.
Additionally, compromised accounts are used to propagate further phishing messages internally, leveraging the trust within the organization to launch subsequent social engineering attacks.
In some cases, exfiltrated data is monetized on dark web marketplaces, while other campaigns pivot to deploying ransomware payloads or data-scraping malware within the victim’s network.
Mitigations
Defending against this new quishing threat requires a combination of technical controls, user awareness training, and robust incident response planning.
Organizations should enforce strict PDF scanning policies that include content-stream analysis capable of detecting non-image QR-drawing instructions.
Advanced threat protection solutions must be configured to scrutinize PDF rendering commands, flagging anomalies such as multiple image objects forming a single QR code.
On the user side, Microsoft customers should be trained to verify QR code sources before scanning and to cross-check any unexpected document requests through alternative channels. Encouraging the use of official document portals directly—rather than QR-scanned links—can minimize exposure to manipulated QR codes.
Multifactor authentication should be enforced across all accounts, using hardware tokens or biometric methods rather than SMS or app-push notifications, to reduce the risk of credential-based account takeover.
In parallel, security teams need to monitor for anomalous login attempts and domain registrations that closely resemble legitimate Microsoft endpoints.
Rapid takedown procedures for fraudulent domains and coordinated disclosure with hosting providers can significantly reduce the window of opportunity for attackers.
Proactive threat hunting and intelligence sharing—especially regarding indicators of compromise found in quishing payloads—will further strengthen organizational resilience.
As quishing techniques continue to advance, combining evasion methods with deceptive branding, staying sharp and safe remains imperative. Users and security teams alike must remain vigilant, adopting layered defenses to counter weaponized QR code attacks and protect critical Microsoft assets in today’s dynamic cybersecurity landscape.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
