QR codes have become a convenient bridge between the physical and digital world. Scan a code to open a menu, check in, or make a payment. That same convenience has also created an opportunity for cybercriminals. Attackers are now embedding phishing links inside QR codes in a growing trend called quishing.
A quishing campaign usually begins with an email or PDF attachment that contains a QR code instead of a clickable link. When the user scans the code with a mobile device, it directs them to a fraudulent website that collects credentials or installs malware.
Because the URL is embedded within the image and not in the message body, traditional email filters and link inspection tools cannot detect it. The attack takes place on the user’s mobile device, often outside the organization’s secure network.
Recent campaigns have become increasingly sophisticated:
Using PDF attachments to hide the QR code from email scanners
Routing victims through legitimate redirectors or Cloudflare Turnstile to evade detection
Mimicking login pages for major services like Microsoft 365 and Adobe
These techniques make quishing difficult to identify and block with traditional security measures.
Quishing relies on trust and convenience. Employees may think twice before clicking a suspicious link on a computer, but will often scan a QR code without hesitation. Once scanned, the action happens on a phone that may not have the same protective controls as the corporate network.
ThreatSTOP’s DNS Defense Cloud, DNS Defense, and IP Defense stop quishing before it becomes a problem. Even if a malicious QR code is scanned, ThreatSTOP’s Protective DNS (PDNS) and IP-based protections block the DNS lookup or outbound connection to the attacker’s infrastructure. This prevents credential theft and malware delivery before any damage occurs.
ThreatSTOP protection uses intelligence from thousands of data feeds, combining trusted third-party sources with original research from the ThreatSTOP Security, Intelligence, and Research team. This approach provides visibility and active protection against:
Newly registered or short-lived domains used in phishing
Redirector and URL shortener abuse
Follow-on IP infrastructure used for data exfiltration and command and control
Our PDNS technology aligns with CISA’s Protective DNS guidance and supports compliance with NIST CSF 2.0 and other regulatory frameworks.
Use Protective DNS to stop DNS lookups to known or suspicious phishing domains
Apply IP-based controls to block communication with malicious infrastructure
Educate employees about the risk of scanning unknown QR codes
Adopt phishing-resistant MFA to minimize credential exposure
ThreatSTOP solutions provide these protections automatically, giving organizations full control over DNS and IP traffic across all devices.
Quishing is not a passing fad. It is the latest evolution of phishing that targets the gap between human behavior and traditional controls. Protection at the DNS and IP layers is the only reliable way to stop it before users are compromised.
With ThreatSTOP, you can connect confidently knowing that malicious destinations are blocked before they cause harm.
Connect with Customers, Disconnect from Risks.
To request a demo or learn more, visit www.threatstop.com