Executive Summary
- 270% monthly growth in quishing attacks through 2024; 1.7M+ malicious QR codes detected by Q1 2025.
- C-suite execs 42× more targeted than average employees; non-C-level managers 5× more targeted.
- Notable campaigns include Swiss MeteoSwiss postal attack and PDF-embedded QR code phishing using Microsoft, DocuSign, and Adobe branding.
- Evasion tactics include PDF annotations, URL shorteners, Cloudflare Turnstile, and MFA spoofing.
- Physical-digital convergence and AI-generated phishing indicate a continuing upward trajectory in 2025.
What Happened
Quishing has transitioned from fringe technique to mainstream threat vector, weaponizing QR codes in email attachments, physical mail, and social platforms. High-value executive targeting, brand impersonation, and advanced obfuscation methods dominate the latest wave of campaigns.
QR code phishing bypasses most email security controls entirely. With executives targeted at 42× the rate of standard users, organizations need both technical controls and targeted awareness programs.
Noorstream delivers threat intelligence, vulnerability management, and offensive security assessments for high-risk environments.
Technical Breakdown
Growth Metrics
- 587% incident growth in 2023.
- 25% year-over-year rise in 2024.
- 433% QR code usage increase since 2021.
Delivery Vectors
- PDF attachments (most common) with embedded malicious QR codes.
- Inline images in email bodies.
- Physical letters (Swiss MeteoSwiss case).
- Social media-distributed QR codes.
Malware
- Coper/Octo2 banking trojan deployed via fake “AlertSwiss” app.
- ONNX Store PhaaS with 2FA bypass mechanisms.
Evasion
- PDF annotation masking.
- Minimal text payloads to evade keyword scanning.
- Cloudflare Turnstile verification.
- Multi-redirect URL shortening.
Themes
- MFA notices (27%).
- Shared document prompts (21%).
- HR/payroll lures.
- Urgent account security alerts.
Impact Analysis
Short-Term
- Surge in credential compromise, BEC (Business Email Compromise), and mobile endpoint breaches.
- Increased attack bypass of email filtering due to non-text payloads.
Long-Term
- Institutionalization of QR phishing in APT toolkits.
- Physical-digital hybrid campaigns likely to proliferate.
- Greater exploitation of AI to automate and scale targeting.
Operational Takeaways
- Deploy email security capable of QR code detection/analysis inside attachments.
- Enforce mobile device security policies; integrate MDM controls.
- Establish executive-specific phishing defense protocols.
- Train workforce to verify QR sources; push awareness of physical-digital attack convergence.
- Block known malicious URL shortener domains and inspect redirect chains.
Related Incidents
- Swiss MeteoSwiss Coper Trojan Campaign (Nov 2024) – Physical letters with QR codes delivering Android banking malware.
- Microsoft & DocuSign PDF Quishing (2024–2025) – Embedded QR codes in fake document notifications targeting corporate staff.
- Tycoon2FA PhaaS Operations – Automated executive credential theft with MFA bypass via QR payloads.