Quishing, or QR code phishing, is rapidly evolving as threat actors adapt their tactics to bypass email security scanners.

By incorporating QR codes into phishing campaigns, threat actors have added an additional layer of evasion, making it harder for traditional security solutions to detect.

The latest iteration, dubbed “Quishing 2.0,” has emerged with more evasive tactics than ever before.

A recent quishing campaign discovered by Perception Point’s security research team highlights the sophistication of these attacks.

What is Quishing

Threat actors exploit widely trusted platforms like SharePoint and online QR scanning services, combining them in a way that evades almost every email security solution today.

A Walkthrough Of A Quishing 2.0 Attack

1. Email Message: The target receives an email appearing to be from a real business, sometimes with a spoofed domain and impersonation of a familiar business partner. The subject line and attached PDF file suggest it’s a Purchase Order (PO).

2. PDF Attachment: Inside the PDF document, the target sees a large QR code along with instructions to scan it to view the full purchase order.

The PDF includes the physical address of the impersonated business, further reinforcing its credibility.

3. QR Scanning Service (Me-QR): When the target scans the QR code, they are redirected to me-qr.com, a legitimate QR code creation and scanning service.

The page indicates that the QR code was successfully scanned, with a button labeled “Skip Advertisement.” This step adds another layer of authenticity, as it uses a trusted service.

4. SharePoint Folder: Clicking the “Skip advertisement” button leads the recipient to a real SharePoint page, seemingly connected to the impersonated business. This is where the attack takes full advantage of trusted services to mask malicious intent.

5. .url File and M365 Phishing Page: If the recipient clicks on the file in SharePoint, they are redirected to the final payload: a fake OneDrive page.

The Microsoft 365 login form, designed to steal the victim’s credentials, appears over what cosmetically seems to be files of scanned invoices from the PO in the background.

The Evasion Technique

Quishing 2.0 involves two QR codes. The first, or “Bad” QR code, leads to the legitimate SharePoint page associated with a compromised or spoofed business account, which then leads to the malicious phishing page.

The attacker uploads this QR code to an online QR scanning service, like me-qr.com, which extracts the URL and presents it after an advertisement. The threat actors generate a second “Clean” QR code from this result/ad page.

This “Clean” QR code is the one that targets will ultimately see and interact with on the PDF attachment, appearing completely legitimate and bypassing initial email security scans.

Perception Point’s Advanced Email Security uses Dynamic URL Analysis and computer vision to break down the layers of Quishing 2.0 and identify the actual malicious content.

The Advanced Object Detection Model analyzes the content of webpages as a user would see them, detecting clickable elements such as buttons or login forms.

Paired with the Recursive Unpacker, Perception Point automatically clicks through these elements to trace the full path of the attack, uncovering the malicious payloads hidden beneath layers of seemingly legitimate services and QR codes.

This multi-layered detection stack provides robust, real-time protection against quishing attacks of all types, emphasizing the need for advanced security solutions to combat evolving threats.


This article first appeared in Cyber Security News, written by Guru Baran on September 23, 2024.