“`html
Users of Microsoft are encountering a fresh quishing initiative that utilizes weaponized QR codes hidden within malicious emails.
Emerging in early October 2025, this assault exploits reliance on QR-based authentication and device pairing procedures, deceiving targets into scanning codes that deliver infostealer binaries.
Initial findings came to light when analysts at Gen Threat Labs observed unusual QR attachments mimicking Microsoft branding amidst corporate Office 365 notifications.
Individuals who scanned these codes were redirected to a compromised Azure CDN node that hosted a staged payload delivery sequence.
After its emergence, researchers pinpointed numerous infection pathways. One involves a phishing email masquerading as a Microsoft Teams notification, directing users to scan a QR code to address an urgent security concern.
Another masquerades as a Microsoft Authenticator enrollment prompt, claiming “enhanced login protection” upon scanning. Since many organizations advocate for QR-based multi-factor setup, these traps appear genuine at a cursory glance.
Researchers from Gen Threat Labs noted that victims encountered familiar Microsoft logos and properly formatted links, amplifying the campaign’s scope and success rate.
The repercussions include credential theft and system intrusion. Once the QR code is scanned, victims receive a shortened URL that leads to a harmful redirector script.
This script executes environmental checks—confirming Windows locale, installed Defender versions, and sandbox indicators—before downloading a Packaged Infostealer (PI) executable.
This binary creates persistence by generating a scheduled task called “MSAuthSync,” guaranteeing execution with each user logon. Extracted credentials and system telemetry are exfiltrated over HTTPS to endpoints controlled by attackers.
Infection Mechanism
A significant innovation within this quishing campaign is its QR code AV evasion strategy. Instead of embedding a single QR image, the malware separates the code into two overlapping images created through PDF content streams.
Typical QR decoders overlook nonstandard color schemes and split segments, while the custom parser recombines the image layers prior to decoding.
The following Python example demonstrates how a defender might reconstruct and decode such fragmented QR codes:
from PIL import Image
import zbarlight
# Load the two image layers
layer1 = Image.open('qr_part1.png').convert('RGB')
layer2 = Image.open('qr_part2.png').convert('RGB')
# Recombine by taking the brighter pixel from each
merged = Image.new('RGB', layer1.size)
pixels1, pixels2 = layer1.load(), layer2.load()
for x in range(layer1.width):
for y in range(layer1.height):
pixels = pixels1[x, y] if sum(pixels1[x, y]) > sum(pixels2[x, y]) else pixels2[x, y]
merged.putpixel((x, y), pixels)
# Decode the merged QR code
codes = zbarlight.scan_codes('qrcode', merged)
print('Decoded URL:', codes[0].decode())This technique highlights how weaponized QR images can circumvent both static AV signatures and naive visual inspections, emphasizing the necessity for layered analysis in contemporary phishing operations.
“`