Threat actors are continuing to refine “quishing” phishing delivered through QR codes by shifting from traditional image-based payloads to “imageless” QR codes rendered directly in email HTML, a tactic designed to sidestep security tools that focus on decoding QR images.
QR code abuse is not new, but it remains effective because the user experience is frictionless: a quick scan launches a browser session on a mobile device, often outside the protected boundary of corporate endpoints and email inspection workflows.
Cloudflare notes that QR phishing frequently bypasses conventional defenses because many controls are tuned to inspect text, links, and attachments while QR codes often arrive as images that appear “meaningless” until decoded.
In the latest twist, defenders’ progress on scanning and extracting URLs from QR images is being met with an evasion technique that removes the “image” component entirely.
Instead of embedding a PNG or JPEG, attackers construct a QR code using an HTML table composed of hundreds (or thousands) of tiny cells, each assigned a black or white background color.
Proofpoint similarly highlights that QR codes hide URLs from quick visual inspection, rely on user trust, and make traditional link-based inspection less reliable.
Imageless QR Codes in Phishing Attacks
To the recipient, the result still looks like a QR code sometimes slightly distorted or “squished” depending on the email client’s rendering but the email may not contain a conventional image object for scanners to analyze.
This matters because many QR-focused detections are implemented as image analysis pipelines: detect an image, locate a QR pattern, decode it, then evaluate the extracted URL.
In an imageless, table-rendered approach, there may be no discrete bitmap for those pipelines to ingest.
Even advanced defenses that do decode QR codes from images must still reliably identify that a QR code is present in the first place, and that signal can weaken when the “pixels” are delivered as HTML layout elements.
Researchers analyzing a late-December phishing run reported that the emails were minimal a few lines of social-engineering text plus a QR code and that scanning the QR codes led victims to credential-harvesting infrastructure hosted on attacker-controlled domains.
The landing URLs were also tailored to recipients, a typical phishing pattern that can complicate reputation-based detections and incident scoping.
Defenders recommend treating QR-based lures as first-class phishing indicators, regardless of whether the QR appears as an image.
Future of QR Code Security
In practice, that means tightening controls that look beyond embedded graphics: flagging unusual HTML constructs (such as dense tables of tiny colored cells), correlating suspicious QR-themed language with sender reputation, and enforcing strong authentication on any logins initiated from mobile browsers.
Proofpoint emphasizes the importance of pre-delivery blocking and layered inspection including extracting encoded URLs and sandboxing them rather than relying only on post-delivery cleanup after users may have already interacted.
Cloudflare also advises users to verify destinations and avoid entering credentials after navigating via QR code, since the “trap” often springs only after the scan resolves to a malicious site.
The broader takeaway is familiar: phishing is a socio-technical problem, and attackers will keep probing assumptions baked into defensive tooling.
As imageless QR codes demonstrate, it’s not enough to scan what looks risky defenders also need to anticipate how “risky” content can be represented in ways that controls may not expect.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.