A recent phishing campaign is abusing QR codes in a new way, turning simple HTML tables into working codes that redirect users to malicious sites.
Instead of embedding a QR image in the email body, the attackers build the code from hundreds of tiny table cells, each styled as black or white.
The result still scans like a normal QR code, but many email defenses fail to treat it as an image.
The messages, seen between December 22 and December 26, follow a minimal design: a short lure text and a single “squished” QR code block that urges the victim to scan it.
Each QR code redirects to subdomains of lidoustoo[.]click, often using the recipient’s own domain name in the URL path to look more convincing, such as hxxps[:]///. This structure helps the link appear less suspicious at a glance.
Internet Storm Center researchers noted that the QR itself is rendered purely through HTML, using a table made of 4×4 pixel cells with black and white background colors.
.webp "Hackers Using Malicious Imageless QR Codes to Render Phishing Attack Via HTML Table 3")
This approach bypasses many QR inspection engines, which are tuned to scan actual image attachments or inline image data. The email HTML, however, looks like harmless layout markup to simple content filters.
In one captured sample, the QR is created using code similar to the snippet below, which defines a dense matrix of cells to encode the pattern:
Detection Evasion Through HTML Table-Based QR Codes
This imageless QR technique exploits a blind spot in many secure email gateways.
Tools that can decode QR images do not always inspect HTML tables as potential graphical structures, so the malicious pattern slips past QR-focused checks.
At the same time, content filters see only standard tags and color attributes, not obvious phishing keywords or image hashes.
For defenders, the campaign is a reminder that protections cannot rely only on how threats “usually” look. Secure email filters must treat dense table grids as possible QR renderings, apply DOM-aware analysis, and flag unusual external redirects.
In parallel, users should be trained that scanning QR codes from unsolicited emails is as risky as clicking unknown links, even when the code looks simple and clean.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
