Microsoft users are facing a novel quishing campaign that leverages weaponized QR codes embedded in malicious emails.
Emerging in early October 2025, this attack exploits trust in QR-based authentication and device pairing workflows, tricking targets into scanning codes that deliver infostealer binaries.
Initial reports surfaced when Gen Threat Labs analysts noted anomalous QR attachments spoofing Microsoft branding within corporate Office 365 notifications.
Recipients who scanned the codes were redirected to a compromised Azure CDN node hosting a staged payload delivery sequence.
Following its emergence, researchers identified multiple infection vectors. One involves a phishing email purporting to be a Microsoft Teams alert, instructing users to scan a QR code to resolve an urgent security issue.
Another impersonates a Microsoft Authenticator enrollment prompt, promising “enhanced login protection” upon scanning. Because many organizations encourage QR-based multi-factor setup, these lures appear legitimate at first glance.
Gen Threat Labs researchers noted that victims saw familiar Microsoft logos and correctly formatted links, increasing the campaign’s reach and success rate.
The impact spans credential theft and system compromise. Once the QR code is scanned, victims receive a short URL that resolves to a malicious redirector script.
This script performs environmental checks—verifying Windows locale, installed Defender versions, and sandbox indicators—before downloading aPackaged Infostealer (PI) executable.
This binary establishes persistence by creating a scheduled task named “MSAuthSync,” ensuring execution at each user logon. Extracted credentials and host telemetry are exfiltrated over HTTPS to attacker-controlled endpoints.
Infection Mechanism
A key innovation in this quishing attack is its QR code AV evasion technique. Rather than embedding a single QR image, the malware splits the code into two overlapping images drawn via PDF content streams.
Standard QR decoders ignore nonstandard color palettes and split segments, but the custom parser recombines image layers before decoding.
The following Python snippet illustrates how a defender might reconstruct and decode such split QR codes:-
from PIL import Image
import zbarlight
# Load the two image layers
layer1 = Image.open('qr_part1.png').convert('RGB')
layer2 = Image.open('qr_part2.png').convert('RGB')
# Recombine by taking the brighter pixel from each
merged = Image.new('RGB', layer1.size)
pixels1, pixels2 = layer1.load(), layer2.load()
for x in range(layer1.width):
for y in range(layer1.height):
pixels = pixels1[x, y] if sum(pixels1[x, y]) > sum(pixels2[x, y]) else pixels2[x, y]
merged.putpixel((x, y), pixels)
# Decode the merged QR code
codes = zbarlight.scan_codes('qrcode', merged)
print('Decoded URL:', codes[0].decode())This approach highlights how weaponized QR images can evade both static AV signatures and naive visual inspections, underscoring the need for layered analysis in modern phishing campaigns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
