“Looks can be deceiving” is a lesson most of us learn the hard way. It’s the stunning wedding photos that feature bridezilla. Or, taking a big gulp of milk, only to discover it’s spoiled. You get the picture. Unfortunately, far too many companies are learning about malicious QR codes the hard way too.
A QR code, which stands for Quick Response code, is a type of two-dimensional barcode that is read with the help of a camera on a smart device. It usually appears as a square pattern of black and white dots, each containing encoded data. Simply scan the QR code and you’re on your way.
Though QR codes have been around for years, their popularity skyrocketed during the pandemic. Today, companies use QR codes in a variety of ways, mainly to enhance customer engagement and streamline their operations. QR codes have become a familiar way of doing lots of things, like purchasing event tickets, accessing coupons, connecting to WiFi, opening a restaurant’s menu, entering a contest, or reviewing important company communications.
However, since the codes aren't readable by humans, they can conceal harmful links, making them an increasingly common tool for phishing scams.
INKY was quick to discover this deceptively clever phishing technique back in 2023. You might recall our report on the malicious QR code scam that harvested employee credentials. These types of attacks typically involve emails that mimic internal company communications or impersonate reputable brands like Microsoft. Readers are instructed to scan a QR code to resolve a non-existent problem. Instead, the QR codes direct users to counterfeit login pages that pre-fill personal data, making the deception more convincing. In some cases, the phishing emails embed the entire message as an image in order to bypass traditional email security systems that scan for textual threats.
INKY predicted that QR codes would soon become the weapon of choice for many phishers and sadly, cybercrime did not disappoint. Months later, INKY unveiled another sophisticated and malicious QR code tactic involving the use of HTML tables and Unicode characters. Rather than using traditional image files, attackers crafted deceptive QR codes using HTML tables and Unicode characters. This method enables the creation of QR codes that visually appear legitimate but are constructed in a way that can bypass standard email security filters, which often focus on image-based threats. INKY was able to detect this threat with advanced computer vision techniques that analyze the rendered Document Object Model (DOM) of emails. This approach allows INKY to visually interpret and identify these malicious QR codes, even when they are embedded as HTML elements. Upon detection, we assess the safety of the QR code's destination URL and, if it is deemed suspicious or harmful, we flag the email accordingly or quarantine them to protect users.
That brings us to the present.
Staying one step ahead of cybercriminals is a constant challenge because they are deceptive, intelligent, and relentless. Today we’re shining a spotlight on a new QR code capability that has the potential to wreak havoc on businesses of all sizes. Attackers have the ability to embed raw HTML and JavaScript directly into QR codes using data URIs. These payloads can execute entirely in-browser—no link clicking required—creating new challenges for detection and response. This shift marks a significant escalation in "quishing" tactics, where the QR code doesn’t just take the victim to a malicious site, it actually becomes the delivery vehicle for malicious malware or code.
A compelling demonstration of this concept is the open-source project Backdooms (https://github.com/Kuberwastaken/backdooms), which showcases how a fully playable game inspired by DOOM can be compressed and embedded entirely within a QR code. This project utilizes advanced compression techniques, including Zlib compression and base64 encoding, to fit the game's code into a scannable QR format.
While Backdooms is a creative and benign example, it underscores the potential for malicious actors to employ similar methods to deliver harmful payloads directly through QR codes.
There are several things that make this type of phish so deadly. Let’s take a closer look.
Instead of pointing to an external link, attackers encode the entire HTML/JavaScript payload inside the QR code using a Data URI: data:text/html;base64,[base64-encoded-html-payload]
This bypasses traditional link scanning because there is no URL to inspect — the content is embedded and rendered directly by the browser.
Example: data:text/html;base64,PCFET0NUW... (base64-encoded malicious HTML)
Once scanned, mobile browsers treat it as a legitimate HTML page and execute any embedded JavaScript.
Most QR scanning apps or native camera integrations will:
That means:
Once executed, JavaScript in the payload can:
Because this content never touches an external server initially, traditional web proxy, email filtering, and threat intel tools may miss it.
Attackers often hide malicious behavior using:
These techniques are designed to evade static detection and make reverse-engineering more difficult for analysts.
QR codes can only hold about:
To bypass this limit, attackers:
To better demonstrate how a recipient might get hooked by this QR code phish, we’ve devised an INKY mock-up.
The first example is similar to what you might expect from a phishing email. It uses:
However, one might argue that it is not without its phishing clues.
This next example is similar in nature except it uses a QR code scam instead of an attachment. In it you’ll notice:
The QR Code decodes to a string that evades email security scanners:
data:text/html;base64,PCFET0NUWVBFIGh0bWw+CjxodG1sPgogIDxib2R5PgogICAgPHNjcmlwdD4KICAgICAgY29uc3QgYSA9ICJWR2hwY3lCcGN5QmhJR1poYTJVZ2NHaHBjMmhwYm1jZ1lYUjBaVzF3ZENCMWMyVmtJR1p2Y2lCeVpYTmxZWEpqYUNCdmJteDUiOwoKICAgICAgY29uc3QgZiA9IFsic3BsaXQiLCAicmV2ZXJzZSIsICJqb2luIl07CiAgICAgIGNvbnN0IHVudXNlZCA9IGF0b2IoYVtmWzBdXSgiIikubWFwKGMgPT4gYylbZlsyXV0oIiIpKTsKCiAgICAgIGNvbnN0IHBheWxvYWQgPSBhdG9iKGEpOwogICAgICBhbGVydChwYXlsb2FkKTsgIC8vIERpc3BsYXkgdGhlIGRlY29kZWQgbWVzc2FnZQogICAgPC9zY3JpcHQ+CiAgPC9ib2R5Pgo8L2h0bWw+
Getting out in front of these sophisticated phish won’t be easy. However, there are a few things you can do to play it safe.
Verify unexpected tasks through a separate communication channel. If an email asks you to scan a QR code to complete an urgent action (e.g., reset a password or confirm a transaction), verify the request directly with the sender using a known phone number, company portal, or chat tool — not by replying to the email.
Avoid scanning QR codes from unknown or unsolicited sources
QR codes in phishing emails can lead directly to credential harvesting sites, initiate malware installation, or run malicious scripts without needing further interaction.
Even if the page looks like Microsoft, Google, or your company’s login portal, check the URL carefully
If your scanner automatically opens links, you lose the ability to inspect them first. Use scanners that display the raw URL before opening it.
Phrases like “your account will be disabled,” “unauthorized login detected,” or “scan to prevent suspension” are red flags. Attackers rely on panic to bypass rational decision-making.
Early reporting can help your organization detect widespread campaigns and protect other users.
Catching complex phishing threats is not something you can do on your own. You need the help of a powerful email security platform. INKY's advanced detection methods, including GenAI, optical character recognition and AI-driven analysis, are effective in identifying and blocking threats, but that’s just part of what INKY has to offer – especially for MSPs.
INKY provides the most comprehensive malware and email phishing protection available. It scans every sent and delivered email automatically and flags malicious emails, protecting your organization and your customers from even the most complex threats, including QR code phish. Isn’t it time you learned more? Schedule your free demonstration today and find out what you and your customers have been missing.
________________________________
INKY is an award-winning, behavioral email security platform powered by artificial intelligence/Gen AI, machine learning, and computer vision. INKY blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.