Estimated reading time: 6 minutes
Lately, every conversation I have with cybersecurity experts seems to include the same advice: “Don’t scan QR Codes.” This warning applies to emails and to “urgent” PDFs with official logos and tight deadlines. QR Codes were designed for convenience, but attackers have exploited that same ease. As the saying goes, “We have met the enemy and he is us.” That quote is from Pogo, a classic American comic, where a swamp possum and friends satirize human behavior. Like email and BEC, our habit of seeking speed comes at the cost of control. Enter quishing or QR code scams. According to a new StrongestLayer report, the real problem is structural: scanning a QR code moves the threat from a protected inbox to an unmanaged phone, placing the attack outside the security perimeter.
Quishing Keeps Winning Despite More Defenses
StrongestLayer’s new threat research tracks a stubborn problem in corporate inboxes. The company studied about 200 malicious QR instances across 19 campaigns. The dataset included 98 phishing emails and 106 QR codes. The emails slipped past Microsoft Defender for Office 365, Google Workspace controls, Proofpoint, and Mimecast. The report calls these “the most sophisticated and evasive examples” it saw.
The growth in attacks is alarming. According to Kaspersky data from late 2025, successful QR code phishing increased fivefold in just three months, rising from 46,000 to 250,000 between August and November 2025. Even as vendors added more QR detection features, StrongestLayer notes that attack volume still increased. The company calls this “an architectural blind spot.”
The Core Problem Sits In Your Pocket
The report highlights one main issue: the “mobile device gap.” A phishing email arrives in a protected inbox, but the QR code is scanned on a personal phone. Credential theft then happens in a personal browser and on a personal network. StrongestLayer says this outcome is unavoidable for gateway tools. “This is an architectural constraint, not a detection accuracy problem.”
This gap also shapes the report’s perspective. StrongestLayer does not blame vendors for being careless. Instead, it argues that defenses are focused on the wrong point. Alan LeFort, the company’s CEO, put it simply: “The industry spent billions to scan QR codes — and attackers still won.” He added, “This isn’t a tuning problem. It’s an architectural one.”
Inside The Kill Chain That Beats Gateways
StrongestLayer walks readers through a representative campaign. It highlights one that it labels “enviousenergy.com.” The lure used an HR pretext about a bonus qualification. The PDF attachment carried the QR code image. The PDF held “no malicious code—only an image.” The QR message pushed a simple action. “Scan to view your personalized bonus statement.”
The QR code did not link directly to a phishing site. Instead, it led to Google’s redirect service, so gateways only saw “google.com,” which has a good reputation. From there, the attack moved to a new domain. The attackers used a fake CAPTCHA page with timing checks to block automated scanners, allowing only real users to continue. The final credential theft page appeared on the victim’s phone. The report summarizes the goal: “The credential theft occurs on the employee’s personal smartphone.”
StrongestLayer found this pattern in every case studied. All attacks used QR codes in PDF attachments, with 100% prevalence. Additionally, 89% used fake CAPTCHA pages to avoid analysis, and 84% embedded the victim’s email in the URL, making each link unique and reducing the effectiveness of IOC matching.
Trusted Cloud Services Become A Reputation Shield
The report also examines how attackers use trusted platforms for redirects. StrongestLayer found frequent use of AWS S3, Cloudflare, Google redirects, and Azure. Defenders face a tough choice: blocking these services can disrupt real business operations, and attackers take advantage of this. The report notes that “legitimate infrastructure abuse” occurred in 42% of campaigns.
Redirects also make analysis more complicated. StrongestLayer reports that, on average, each attack used 1.78 redirect techniques, with some attacks using two or three methods at once. This chaining of redirects slowed down scanners and increased the chances of missing an attack.
Detection Hits A Mathematical Ceiling
StrongestLayer uses Jaccard similarity to measure how similar the attacks are to each other. Traditional phishing attacks often look very similar, but QR campaigns did not. The average similarity in the QR dataset was 0.209, and targeted campaigns dropped to 0.134. The report sets 0.30 as a practical threshold. Below this, pattern matching becomes difficult: tuning aggressively leads to too many false positives, while tuning cautiously means missing new attacks.
Mimecast is given as an example of this tradeoff. StrongestLayer points out that Mimecast aims for a 90% probability threshold, which means some misses are expected. The report sees this not as a failure, but as a practical limitation.
Get The Cyber Insurance Upload Delivered
Subscribe to our newsletter!
FBI Validation And APT Incentives
The report also references an FBI alert from January 2026, which said North Korean actors used quishing against U.S. targets. StrongestLayer calls this “nation-state validation.” The FBI described quishing as happening “outside normal Endpoint Detection and Response (EDR) and network inspection boundaries,” supporting the mobile gap argument.
The report also says that quishing can bypass MFA protections by stealing and reusing session tokens. It calls this method an “MFA-resilient identity intrusion vector.” This is important for cyber insurers because it links QR code attacks to identity loss and cloud account takeovers.
Recommendations Shift From Scanning To Reasoning
StrongestLayer directs its recommendations to security leaders rather than tool operators. It encourages teams to test their email systems against real evasion techniques by asking key questions: Can the gateway decode QR codes from PDFs? Can it follow redirects to final pages? Can it access URLs behind fake CAPTCHA timing checks? The report says that answering “no” to any of these means there is a coverage gap.
The report also advises leaders to consider the workload on their teams. It warns that too many false alerts can lead to analyst fatigue. It recommends tools that help users make decisions before scanning QR codes and suggests using “reasoning-based detection architectures” instead of relying on signatures. Signature updates can fall behind, but contextual reasoning can adapt more quickly.
Related Cyber Liability Insurance Posts
- Lockton: Cyber Rates Near Sustainability Floor
- Legal Industry Faces AI Boom and New Cybersecurity Challenges in 2025
- If You Think Your Secrets Are Safe, Think Again: Even the FBI Can’t Hide
- Identity Theft – What to Do When Your Identity Has Been Stolen
- Ghost Students Exploit Aid as Identity Theft Surges Nationwide – NEW PODCAST
