Notifications
Clear all
Topic starter
27/06/2026 1:24 pm
TL;DR: QR code phishing is now appearing in 17% of advanced attacks identified in an Abnormal study, and the vendor says its systems detect thousands of such attacks per week through behavioral signals and image parsing. The real issue is that static link and attachment controls assume the threat is visible in the payload, which QR delivery deliberately avoids.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- 17% of all advanced attacks identified in an Abnormal study utilized malicious QR codes.
Questions worth separating out
Q: How should security teams handle QR code phishing in email environments?
A: Security teams should inspect QR images, decode their destinations, and correlate that data with sender behaviour and message anomalies.
Q: Why do QR code attacks bypass many legacy email controls?
A: They bypass many legacy controls because those controls are built around visible URLs, file attachments, or text-based indicators.
Practitioner guidance
- Add QR decoding to email inspection workflows Scan embedded QR images before user interaction and inspect the resolved destination with the same policy logic used for links and attachments.
- Correlate message anomalies with authentication risk Feed sender reputation, message structure, and image-derived destination data into identity and email response workflows so suspicious QR delivery can be triaged before a login prompt is reached.
- Train users on scan-based lures Update awareness content so users recognise that a QR code in an email can be a phishing path, especially when it pushes them to re-enter credentials or approve access.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- How the vendor's detection pipeline parses QR images and converts them into inspectable destinations
- Which behavioural signals are used to distinguish QR phishing from ordinary image-heavy email
- Examples of how thousands of weekly QR attacks are surfaced in practice
- The specific ways the webinar frames image-based detection alongside broader email security controls
👉 Watch Abnormal AI's webinar on stopping QR code phishing attacks →
QR code phishing attacks: are legacy controls keeping up?
Explore further
27/06/2026 2:46 pm
QR code phishing is an identity problem because it externalises the first trust decision. The message content is not the real threat surface, the scan-triggered destination is. That means email controls, browser controls, and identity controls each see only part of the chain unless they are linked by behavioural signals and destination analysis. Practitioners should treat QR delivery as a bypass path into authentication and session capture, not just a mail filtering issue.
A few things that frame the scale:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.
A question worth separating out:
Q: What should teams do when a QR code leads to a suspicious login flow?
A: Treat the event as an identity incident, not just a mail issue. Contain the user session, review the destination that was scanned, and check for credential reuse, consent abuse, or token exposure. The important response is to stop the trust transition before the attacker completes authentication.
👉 Read our full editorial: QR code phishing is exposing a behavioral detection gap
