A sophisticated new phishing campaign is successfully tricking some of the most advanced security systems by turning a common convenience, the QR code, into a digital weapon. According to findings from the research firm 7AI, between 26 February and 18 March 2026, dozens of malicious emails landed directly into inboxes, remaining completely undetected by Microsoft Defender.
Researchers named the operation “Quish Splash,” noting that it was a massive, industrialised operation. Further investigation of the attacker’s tracking system revealed that the hackers sent over 1.6 million emails to various organisations in less than three weeks.
Breaking Through the Digital Guard
Typically, email filters are great at spotting malicious links in message text. However, in this campaign attackers hid links inside BMP image attachments. Because security tools usually read text and do not look at image pixels, the phishing link was basically invisible to automated scanners.
The attacker, using the name Baron Lester, sent emails regarding COVID-19 and RSV research. These were perfectly configured to pass every major technical check, such as SPF, DKIM, and DMARC, which act as digital ID cards for emails. Because the sender’s domain, iconicdeciphercom, was set up correctly, security systems marked the emails as fully trusted with a low spam score.
A Calculated, Three-Wave Strategy
The attack moved in three stages to avoid raising alarms. The first wave hit on 26 February as a small test run targeting seven individuals, including a manager. After a 19-day gap, a second major automated burst of 25 emails was sent on 17 March, specifically targeting that manager’s direct reports. A final follow-up was sent the next day.
In the 19 days between Wave 1 and Wave 2, the ID counter jumped by over 1.6 million, and by Wave 3, it advanced by another 77,000 IDs in just a single day. According to researchers, these gaps prove the attacker was busy hitting a massive volume of other organisations in parallel.
“What began as a single alert quickly revealed a coordinated campaign,” noted Juliana Testa of the 7AI Threat Research Team in the research shared exclusively with Hackread.com.
It is worth noting that the hackers even used auto-replies to their advantage. When a staff member had an Out of Office message active, it sent a reply back to covid_info@iconicdeciphercom. This confirmed to the attackers that the address was active and belonged to a real person. Researchers also found a clever hash evasion trick where every recipient received a unique QR code image, meaning even if one email was flagged, others could not be easily blocked, as every file looked unique to the computer.
The danger peaked when users scanned the codes with mobile phones, which often sit outside strict corporate security controls. This gave Baron Lester persona a clear path to steal data without ever touching a protected company laptop, proving that even the most trusted inboxes are no longer a sure-fire haven.
