QR codes are quickly becoming a favorite delivery method for phishing attacks. Sublime's AI-powered phishing protection platform identifies malicious QR codes no matter where they're hiding and keep them out of inboxes.
Attackers often use QR codes in phishing campaigns to bypass URL filters.
Since targets can't easily preview the destination before scanning, this method is highly effective at deceiving unsuspecting recipients.
A comprehensive phishing protection platform analyzes QR codes used to deliver malicious links, redirects to credential harvesting sites, automatic downloads of malware, social engineering attacks, and more.
The explosion and sophistication of AI-generated email attacks requires a solution that provides best-in-class efficacy, but also the ability to contextualize and respond to threats in real time. With Sublime, our team can prevent, detect, and respond to email-borne threats of today and the future.
Brad Jones
CISO, Snowflake
What makes QR code phishing so effective
QR codes bypass standard link scanning methods and offer unique obfuscation methods.
Link analysis avoidance
By putting their malicious link in a QR code, attackers can evade analysis that relies on traditional URL inspection.
Unique obfuscation
QR codes come with their own obfuscation methods, like embedding them as HTML, image contrasting, color changes, and logo overlays.
Hidden payloads
Attackers will put QR codes in attachments or on a linked page, keeping it easy for humans to find, but difficult for traditional phishing protection tools.
Tools for catching QR code phishing
Sublime uses a layered combination of AI, machine learning, and org-specific detections to catch the phish.
Computer vision
Sublime uses computer vision to detect QR codes in an email body, linked pages, and attachments.
Link analysis
Sublime uses a browser emulation sandbox and machine learning to follow decoded QR code links through redirects to resolve the effective URL and collect a screenshot for further analysis.
Recursive file analysis
Sublime analyzes attachments with computer vision to detect QR codes and then resolve their destinations. This includes recursive analysis of archives, scanning all the files within regardless of depth.
Leading phishing protection service for QR code threats
See how Sublime's comprehensive phishing protection service can safeguard your organization from sophisticated quishing attacks.
Thank you!
Thank you for reaching out. A team member will get back to you shortly.
Oops! Something went wrong while submitting the form.
Latest on QR code phishing
The latest news, research, and attack spotlights about QR code phishing and phishing protection service solutions.
Attack spotlight
Adversarial prompt injection payload for evading AI-based detection
June 25, 2026
Attack spotlight
Surge in callback phishing attacks abusing auto notifications, verifications, alerts, receipts, and more
June 17, 2026
Attack spotlight
Kratos phishing attack hidden in business term encoding and sophisticated obfuscation
QR code phishing is when attackers hide malicious links inside QR codes instead of plain text URLs. Many email security tools focus on links in the HTML of a message, so a QR code that encodes the destination as an image can slip past link-focused defenses. The recipient scans the code, lands on a credential harvesting page or malware download, and never sees a suspicious URL in the message.
Why do QR codes bypass traditional email security?
Because many email security stacks still prioritize text and URL extraction over image-based link analysis. Link-scanning engines inspect URLs in message bodies and attachments – QR codes encode those URLs visually, so they won't be evaluated unless a tool extracts and resolves QR destinations. Attackers make it worse by embedding QR codes inside PDFs, adding branding and styling to look legitimate, or manipulate QR code renderings to evade analysis.
How does Sublime detect malicious QR codes?
Sublime uses analysis tools to identify QR codes in message bodies and supported attachment types. Once found, Sublime resolves the encoded destination and analyzes the link and redirect chain. Sublime also analyzes nested attachments to uncover QR-based payloads that are buried inside archives.
Can Sublime catch QR codes hidden inside attachments?
Yes. Hiding a QR code inside a PDF or Office document is one of the most common ways attackers try to slip past inline scanning. Sublime analyzes supported attachment types (including within archives) to find QR codes and resolve where they lead before the message reaches an inbox.
What types of quishing attacks does Sublime stop?
Credential harvesting pages, malware downloads, social engineering lures, and multi-step redirect chains designed to pass through a legitimate-looking URL before landing somewhere malicious. Because Sublime resolves the destination, it can follow redirect chains and assess the final landing page.
How is Sublime different from other phishing protection tools?
Many tools still focus on URLs in message text and miss QR-coded destinations unless they do QR extraction. Sublime combines computer vision, attachment analysis, and link resolution into a single pipeline, so QR code payloads get the same scrutiny as any other threat vector.
What does it take to get Sublime's quishing protection up and running?
Less than you'd expect. Sublime deploys as cloud SaaS, single-tenant SaaS, or self-hosted, with API or inline protection. It integrates with your existing stack – SIEM, SOAR, Slack – and covers inbound, internal, and outbound email from day one. Most teams get protection quickly without a rip-and-replace.
Now is the time
See how Sublime delivers autonomous protection by default, with control on demand.
.svg)
.avif)
