QR code

Tactic or Technique: QR code

QR codes are those square barcodes you scan with your phone to open a link. You’ve probably used them at restaurants, parking meters, or on event flyers. Attackers take advantage of how common and trusted they’ve become by hiding malicious links inside them. When scanned, a QR code can send you to a phishing site or install malware on your device.

These codes often appear in emails, attachments, or printed materials and are designed to look harmless. Some use redirect chains that pass through a URL shortener or compromised site before landing on the actual payload, making them harder to detect.

Because you can’t see where a QR code leads before scanning, and many scans happen on personal phones without enterprise protections, attackers get a reliable way to steal credentials, install malware, or access corporate systems through unmanaged devices.

Blog Posts

Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits

Talking phish over turkey

QR Code Phishing: Decoding Hidden Threats

Attack Types (3):

Credential Phishing

Malware/Ransomware

BEC/Fraud

Detection Methods (11):

Optical Character Recognition

URL analysis

Natural Language Understanding

URL screenshot

XML analysis

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Brand impersonation: Microsoft (QR code)	16d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-qr-code-ed0f772a
Open redirect: typedrawers.com	26d ago May 23rd, 2025 UTC	Sublime Security	Credential Phishing Evasion Open redirect QR code Social engineering Content analysis File analysis QR code analysis Sender analysis	/feeds/core/detection-rules/open-redirect-typedrawerscom-158d9e95
Attachment: Fake Voicemail via PDF	1mo ago Apr 30th, 2025 UTC	Sublime Security	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis	/feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209
Attachment: QR code with credential phishing indicators	2mo ago Apr 14th, 2025 UTC	Sublime Security	Credential Phishing QR code Social engineering Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/attachment-qr-code-with-credential-phishing-indicators-9f1681e1
Link: QR Code with suspicious language (untrusted sender)	2mo ago Apr 14th, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand QR code Social engineering Content analysis Computer Vision Natural Language Understanding QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-qr-code-with-suspicious-language-untrusted-sender-25a84d1c
Link: QR code with phishing disposition in img or pdf	2mo ago Apr 14th, 2025 UTC	Sublime Security	Credential Phishing QR code Social engineering Content analysis Computer Vision QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/link-qr-code-with-phishing-disposition-in-img-or-pdf-8e8949f6
QR Code with suspicious indicators	2mo ago Apr 7th, 2025 UTC	Sublime Security	Credential Phishing QR code Social engineering Content analysis Header analysis Computer Vision Natural Language Understanding QR code analysis Sender analysis URL analysis	/feeds/core/detection-rules/qr-code-with-suspicious-indicators-04f5c34f
Compensation Review With QR Code in Attached EML	2mo ago Apr 3rd, 2025 UTC	Sublime Security	Credential Phishing QR code Social engineering Computer Vision Content analysis Optical Character Recognition QR code analysis	/feeds/core/detection-rules/compensation-review-with-qr-code-in-attached-eml-98a2f03c
Brand impersonation: Adobe (QR code)	2mo ago Mar 27th, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-qr-code-2fc36c6d
Attachment: QR Code Link With Base64-Encoded Recipient Address	2mo ago Mar 27th, 2025 UTC	Sublime Security	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Attachment: QR Code With Userinfo Portion	3mo ago Feb 21st, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c
Attachment: SVG Files With Evasion Elements	3mo ago Feb 21st, 2025 UTC	Sublime Security	Malware/Ransomware Credential Phishing QR code Image as content Evasion File analysis XML analysis QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-svg-files-with-evasion-elements-5d2dbb60
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender	4mo ago Feb 3rd, 2025 UTC	Sublime Security	BEC/Fraud Free email provider PDF Social engineering QR code Content analysis File analysis QR code analysis	/feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213
Brand impersonation: DocuSign (QR code)	1y ago Jun 12th, 2024 UTC	Sublime Security	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-docusign-qr-code-0b16c28a
Brand Impersonation: DocuSign with embedded QR code	1y ago May 2nd, 2024 UTC	Sublime Security	Credential Phishing Evasion Image as content Impersonation: Brand QR code Computer Vision Content analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-docusign-with-embedded-qr-code-f5cde463
Link: QR code in EML attachment with credential phishing indicators	1y ago Apr 25th, 2024 UTC	Sublime Security	Credential Phishing Evasion Open redirect QR code Computer Vision Content analysis File analysis QR code analysis	/feeds/core/detection-rules/link-qr-code-in-eml-attachment-with-credential-phishing-indicators-9908ed3a
Attachment: HTML smuggling - QR Code with suspicious links	1y ago Apr 25th, 2024 UTC	Sublime Security	Credential Phishing QR code Computer Vision Header analysis Natural Language Understanding QR code analysis Sender analysis URL analysis URL screenshot	/feeds/core/detection-rules/attachment-html-smuggling-qr-code-with-suspicious-links-010e757d
Brand Impersonation: Google (QR Code)	1y ago Apr 3rd, 2024 UTC	Sublime Security	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-google-qr-code-7ffd184c