Fresh Phish: How to Stay a Step Ahead of the Latest QR Code Phishing Scam

“Looks can be deceiving” is a lesson most of us learn the hard way. It’s the stunning wedding photos that feature bridezilla. Or, taking a big gulp of milk, only to discover it’s spoiled. You get the picture. Unfortunately, far too many companies are learning about malicious QR codes the hard way too.

What is a Malicious QR Code?

A QR code, which stands for Quick Response code, is a type of two-dimensional barcode that is read with the help of a camera on a smart device. It usually appears as a square pattern of black and white dots, each containing encoded data. Simply scan the QR code and you’re on your way.

Though QR codes have been around for years, their popularity skyrocketed during the pandemic. Today, companies use QR codes in a variety of ways, mainly to enhance customer engagement and streamline their operations. QR codes have become a familiar way of doing lots of things, like purchasing event tickets, accessing coupons, connecting to WiFi, opening a restaurant’s menu, entering a contest, or reviewing important company communications.

However, since the codes aren't readable by humans, they can conceal harmful links, making them an increasingly common tool for phishing scams.

Two Dangerous QR Phishing Scams We’ve Met Before

INKY was quick to discover this deceptively clever phishing technique back in 2023. You might recall our report on the malicious QR code scam that harvested employee credentials. These types of attacks typically involve emails that mimic internal company communications or impersonate reputable brands like Microsoft. Readers are instructed to scan a QR code to resolve a non-existent problem. Instead, the QR codes direct users to counterfeit login pages that pre-fill personal data, making the deception more convincing. In some cases, the phishing emails embed the entire message as an image in order to bypass traditional email security systems that scan for textual threats.

INKY predicted that QR codes would soon become the weapon of choice for many phishers and sadly, cybercrime did not disappoint. Months later, INKY unveiled another sophisticated and malicious QR code tactic involving the use of HTML tables and Unicode characters. Rather than using traditional image files, attackers crafted deceptive QR codes using HTML tables and Unicode characters. This method enables the creation of QR codes that visually appear legitimate but are constructed in a way that can bypass standard email security filters, which often focus on image-based threats. INKY was able to detect this threat with advanced computer vision techniques that analyze the rendered Document Object Model (DOM) of emails. This approach allows INKY to visually interpret and identify these malicious QR codes, even when they are embedded as HTML elements. Upon detection, we assess the safety of the QR code's destination URL and, if it is deemed suspicious or harmful, we flag the email accordingly or quarantine them to protect users.

That brings us to the present.

Guarding Against a New and Significant QR Code Phishing Threat

Staying one step ahead of cybercriminals is a constant challenge because they are deceptive, intelligent, and relentless. Today we’re shining a spotlight on a new QR code capability that has the potential to wreak havoc on businesses of all sizes. Attackers have the ability to embed raw HTML and JavaScript directly into QR codes using data URIs. These payloads can execute entirely in-browser—no link clicking required—creating new challenges for detection and response. This shift marks a significant escalation in "quishing" tactics, where the QR code doesn’t just take the victim to a malicious site, it actually becomes the delivery vehicle for malicious malware or code.

A compelling demonstration of this concept is the open-source project Backdooms (https://github.com/Kuberwastaken/backdooms), which showcases how a fully playable game inspired by DOOM can be compressed and embedded entirely within a QR code. This project utilizes advanced compression techniques, including Zlib compression and base64 encoding, to fit the game's code into a scannable QR format.

While Backdooms is a creative and benign example, it underscores the potential for malicious actors to employ similar methods to deliver harmful payloads directly through QR codes.

Inside the Phish: How Embedded HTML/JavaScript QR Payloads Work

There are several things that make this type of phish so deadly. Let’s take a closer look.

Data URIs as a Delivery Mechanism

Instead of pointing to an external link, attackers encode the entire HTML/JavaScript payload inside the QR code using a Data URI: data:text/html;base64,[base64-encoded-html-payload]

This bypasses traditional link scanning because there is no URL to inspect — the content is embedded and rendered directly by the browser.

Example: data:text/html;base64,PCFET0NUW... (base64-encoded malicious HTML)

Once scanned, mobile browsers treat it as a legitimate HTML page and execute any embedded JavaScript.

Executable on Scan — No Click Required

Most QR scanning apps or native camera integrations will:

• Detect the QR as a URL (even if it’s a Data URI),
• Pass it to the system browser,
• Auto-render the content without additional user interaction.

That means:

• JavaScript executes immediately.
• DOM-based phishing, redirection, or data exfiltration can begin instantly.
• No internet connection is needed if the payload is self-contained.

JavaScript Payload Capabilities

Once executed, JavaScript in the payload can:

• Render fake login pages (credential harvesting)
• Log keystrokes using JavaScript event listeners
• Auto-submit forms to exfiltrate data
• Launch browser exploits if vulnerabilities exist
• Fingerprint the device and send metadata to a remote server (if a beacon is included)

Because this content never touches an external server initially, traditional web proxy, email filtering, and threat intel tools may miss it.

Obfuscation Techniques Commonly Used

Attackers often hide malicious behavior using:

• Base64 + atob() decoding
• String splitting, reversing, and rejoining
• Using indirect eval() or Function() constructors
• Compression (e.g., GZIP via pako.js) to reduce QR code size
• Nested IIFEs to defer execution until render time

These techniques are designed to evade static detection and make reverse-engineering more difficult for analysts.

QR Code Size Limits and Compression

QR codes can only hold about:

• 2.9KB (with high error correction)
• Up to 3.7KB with low error correction

To bypass this limit, attackers:

• Minify + strip whitespace from HTML
• Base64-encode only after compression (e.g., gzip)
• Offload large logic to a minimal bootloader that fetches remote code (e.g., via dynamic import)

Phishing Attachment vs. QR Code

To better demonstrate how a recipient might get hooked by this QR code phish, we’ve devised an INKY mock-up.

The first example is similar to what you might expect from a phishing email. It uses:

1. personalization in the subject line
2. brand impersonation (the INKY logo)
3. a realistic disclosure to look more convincing
4. an aptly named attachment

However, one might argue that it is not without its phishing clues.

• The full company logo was not used
• the subject line’s spacing is off
• the messaging is abrupt and not the best grammatically

This next example is similar in nature except it uses a QR code scam instead of an attachment. In it you’ll notice:

1. brand impersonation
2. a call to action
3. personalization
4. a more convincing set-up with an explanation and instructions
5. an easily scannable QR code
   
   

The QR Code decodes to a string that evades email security scanners:

data:text/html;base64,PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxib2R5PgogICAgPHNjcmlwdD4KICAgICAgY29uc3QgYSA9ICJWR2hwY3lCcGN5QmhJR1poYTJVZ2NHaHBjMmhwYm1jZ1lYUjBaVzF3ZENCMWMyVmtJR1p2Y2lCeVpYTmxZWEpqYUNCdmJteDUiOwoKICAgICAgY29uc3QgZiA9IFsic3BsaXQiLCAicmV2ZXJzZSIsICJqb2luIl07CiAgICAgIGNvbnN0IHVudXNlZCA9IGF0b2IoYVtmWzBdXSgiIikubWFwKGMgPT4gYylbZlsyXV0oIiIpKTsKCiAgICAgIGNvbnN0IHBheWxvYWQgPSBhdG9iKGEpOwogICAgICBhbGVydChwYXlsb2FkKTsgIC8vIERpc3BsYXkgdGhlIGRlY29kZWQgbWVzc2FnZQogICAgPC9zY3JpcHQ+CiAgPC9ib2R5Pgo8L2h0bWw+

Best Practices: Guidance and Recommendations

Getting out in front of these sophisticated phish won’t be easy. However, there are a few things you can do to play it safe.

Verify unexpected tasks through a separate communication channel. If an email asks you to scan a QR code to complete an urgent action (e.g., reset a password or confirm a transaction), verify the request directly with the sender using a known phone number, company portal, or chat tool — not by replying to the email.

• Avoid scanning QR codes from unknown or unsolicited sources

QR codes in phishing emails can lead directly to credential harvesting sites, initiate malware installation, or run malicious scripts without needing further interaction.

• Never enter login credentials or sensitive data after scanning a QR code unless you’re sure the site is legitimate

Even if the page looks like Microsoft, Google, or your company’s login portal, check the URL carefully

• Disable automatic browser opening in your QR code scanner app

If your scanner automatically opens links, you lose the ability to inspect them first. Use scanners that display the raw URL before opening it.

• Be skeptical of urgency or threats in emails with QR codes

Phrases like “your account will be disabled,” “unauthorized login detected,” or “scan to prevent suspension” are red flags. Attackers rely on panic to bypass rational decision-making.

• Report suspicious emails that include QR codes to your security team

Early reporting can help your organization detect widespread campaigns and protect other users.

The Best Way to Fight Phish is with INKY

Catching complex phishing threats is not something you can do on your own. You need the help of a powerful email security platform. INKY's advanced detection methods, including GenAI, optical character recognition and AI-driven analysis, are effective in identifying and blocking threats, but that’s just part of what INKY has to offer – especially for MSPs.

INKY provides the most comprehensive malware and email phishing protection available. It scans every sent and delivered email automatically and flags malicious emails, protecting your organization and your customers from even the most complex threats, including QR code phish. Isn’t it time you learned more? Schedule your free demonstration today and find out what you and your customers have been missing.

________________________________

INKY is an award-winning, behavioral email security platform powered by artificial intelligence/Gen AI, machine learning, and computer vision. INKY blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.