Threat Spotlight: Split and Nested QR Codes Fuel New Generation of ‘Quishing' Attacks
Summary:
Recent research highlights how attackers are evolving their QR code phishing, or “quishing,” tactics to stay ahead of security defenses. While the general concept of using QR codes to lure users to credential-stealing websites is well understood, threat actors are now deploying more advanced techniques that complicate detection and mitigation. Barracuda’s analysts point to two notable developments: split QR codes and nested QR codes. The split QR code technique, seen in use with the Gabagool phishing-as-a-service kit, involves breaking a QR code into two separate images that are then embedded within an email. To the recipient, the QR code looks complete, but security scanners only register two independent and harmless images. When scanned by the target, however, the combined QR code redirects them to a phishing page, often disguised as a Microsoft login prompt. This approach not only evades automated security tools but also leverages highly tailored lures that suggest attackers had already conducted successful conversation hijacking against their targets.
Security Officer Comments:
Additionally, analysts have documented the Tycoon 2FA phishing-as-a-service kit using nested QR codes. In this method, a malicious QR code is layered around or within a legitimate one. For example, the outer code may route a victim to a phishing page while the inner code points to a benign destination. This creates ambiguity for both automated scanners and human reviewers, making it harder to spot the malicious intent.
Suggested Corrections:
Enhance detection logic for QR codes: Deploy email security solutions that can reconstruct and analyze QR codes, including split-image and nested formats, rather than relying solely on traditional link scanning.
Implement layered authentication controls: Require phishing-resistant MFA (such as FIDO2-based passkeys or hardware tokens) to reduce the impact of stolen credentials from QR-based phishing pages.
Harden mobile device security: Since most QR codes are scanned on phones, ensure mobile endpoint protection is in place and managed devices enforce policies like browser isolation, URL filtering, and automatic updates.
User awareness training: Educate employees on recognizing suspicious QR code prompts, especially in unexpected password reset emails, invoices, or delivery notifications, and encourage them to verify through official channels.
Adopt zero-trust access principles: Limit lateral movement opportunities by segmenting networks and enforcing conditional access policies that check device health and location, even if credentials are compromised.
Link(s):
https://blog.barracuda.com/2025/08/20/threat-spotlight-split-nested-qr-codes-quishing-attacks
Recent research highlights how attackers are evolving their QR code phishing, or “quishing,” tactics to stay ahead of security defenses. While the general concept of using QR codes to lure users to credential-stealing websites is well understood, threat actors are now deploying more advanced techniques that complicate detection and mitigation. Barracuda’s analysts point to two notable developments: split QR codes and nested QR codes. The split QR code technique, seen in use with the Gabagool phishing-as-a-service kit, involves breaking a QR code into two separate images that are then embedded within an email. To the recipient, the QR code looks complete, but security scanners only register two independent and harmless images. When scanned by the target, however, the combined QR code redirects them to a phishing page, often disguised as a Microsoft login prompt. This approach not only evades automated security tools but also leverages highly tailored lures that suggest attackers had already conducted successful conversation hijacking against their targets.
Security Officer Comments:
Additionally, analysts have documented the Tycoon 2FA phishing-as-a-service kit using nested QR codes. In this method, a malicious QR code is layered around or within a legitimate one. For example, the outer code may route a victim to a phishing page while the inner code points to a benign destination. This creates ambiguity for both automated scanners and human reviewers, making it harder to spot the malicious intent.
Suggested Corrections:
Enhance detection logic for QR codes: Deploy email security solutions that can reconstruct and analyze QR codes, including split-image and nested formats, rather than relying solely on traditional link scanning.
Implement layered authentication controls: Require phishing-resistant MFA (such as FIDO2-based passkeys or hardware tokens) to reduce the impact of stolen credentials from QR-based phishing pages.
Harden mobile device security: Since most QR codes are scanned on phones, ensure mobile endpoint protection is in place and managed devices enforce policies like browser isolation, URL filtering, and automatic updates.
User awareness training: Educate employees on recognizing suspicious QR code prompts, especially in unexpected password reset emails, invoices, or delivery notifications, and encourage them to verify through official channels.
Adopt zero-trust access principles: Limit lateral movement opportunities by segmenting networks and enforcing conditional access policies that check device health and location, even if credentials are compromised.
Link(s):
https://blog.barracuda.com/2025/08/20/threat-spotlight-split-nested-qr-codes-quishing-attacks