QR codes are being hijacked to bypass MFA protections

Hacker raise hands up to control computer coding, 3D rendering.
(Image credit: Shutterstock)

By now, most of us have become accustomed to seeing QR codes everywhere, from cafes and pubs, to businesses and public services. But how often do you check the URL it is directing you to?

This is just one of the weaknesses of QR codes - the implicit trust that the code will take you where you want to go.

New Sophos research has explored how an attack plays out after one of its own employees was targeted in a ‘quishing’ attack which utilized malicious QR codes hidden in seemingly legitimate internal emails.

Squishing quishing isn’t easy

In June 2024, several Sophos employees received a fairly mundane email from legitimate external email accounts, with subject lines written to appear as though the email was sent from an office printer/scanner with an employee benefits PDF document attached.

The PDF was fairly plain, containing the Sophos logo at the top, followed by a QR code and a message at the bottom stating that the QR code contained a secured link to DocuSign which required the employee’s digital signature, and that the file would expire in 24 hours.

Sophos quishing email

A seemingly legitimate email from an office scanner with a PDF file attached. (Image credit: Sophos)

When scanned, the QR code directed the employee to a Microsoft 365 sign-in box, where the employee duly signed in and completed a multi-factor authentication check. In almost real time an attacker used the credentials and a stolen MFA token to attempt to access an internal application. Luckily, Sophos’ internal network settings prevented access and the account was secured.

So, how could a quishing attack such as this be spotted and stopped? Well, if you pay particular attention to every detail of an incoming email, you may just stand a chance. For one, Sophos points out, the file name contained within the body of the email did not match that of the attached PDF. Moreover, the subject line read “Remittance Arrived” - something that a file received from a legitimate officer scanner would not say.

The subject line also ended with “retirements plan attache=”. Whether this was a mistake on behalf of the attacker or a clever use of the ‘=’ sign to make the header appear cut off is not known.

The false sense of urgency proposed by the 24-hour expiry timeline should have also been a giveaway, as well as the URL displayed when the QR code was scanned. However, as anyone who has scanned a QR code before will know, sometimes the full URL isn’t shown or disappears before it can be fully read and checked for clues such as random letters or a homoglyph domain.

Sophos quishing Microsoft 365 sign in box

A spoofed Microsoft 365 sign-in page. (Image credit: Sophos)

As for the stolen MFA token, the Microsoft 365 sign in page was actually a spoofed dialogue box controlled by the attacker that was not picked up due to a lack of URL filtering software on the victim’s phone.

Quishing, Sophos points out, is fast becoming a growing threat to organizations with phishing-as-a-service (PhaaS) brokers such as the ONNX Store increasingly offering QR code-based attacks in their offerings.

As QR codes are typically image based attachments that can be placed within PDF documents, they can easily slip through email filters and the typical endpoint security protections employed by many businesses, as all of the URL processing happens on the victim’s mobile device that may not be subject to the same level of protection.

Andrew Brandt, principal threat researcher at Sophos said, “While there was some fear surrounding the rise of QR codes when they first became popular during COVID, the risk for most people was actually quite small. However, now we’re seeing attackers leverage these QR codes for highly targeted phishing attacks—and they’re effective.”

“QR codes are incredibly flexible, and with quishing kits, attackers can essentially create a series of targeted quishing emails en masse, customizing them for employees of different companies. And, unfortunately, if attackers manage to steal both login credentials and MFA authentication tokens for a company employee, in many many cases, they have gained the ability to infiltrated highly privileged assets,” Brandt said.

For recommendations on how best to protect your organization from quishing, and the key signs of a quishing email, take a look at Sophos’ suggestions here.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
mobile phone
Forget phishing, now "mishing" is the new security threat to worry about
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
Best email services: image of email with one unread message alert
Over 400 million unwanted and malicious emails were received by businesses in 2024
QR Code
Hackers are targeting Signal with new QR code-linked cyberattack
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Latest in Pro
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
European Union technical background
EU tech companies push for digital sovereignty, reducing reliance on US and others
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
Adobe Summit 2025
Adobe Summit 2025 - all the news and updates as it happens
Latest in News
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments