Detecting QR Code Phishing with Email Security Overview QR code phishing (quishing) is a rapidly growing attack vector where malicious URLs are embedded in QR code images within phishing emails. Quishing incidents grew fivefold from 46,000 to 250,000 between August and November 2025, with credential phishing comprising 89.3% of detected incidents. Traditional email security filters struggle because QR codes cannot be read by humans or standard URL scanners, and when scanned, users typically use personal mobile devices that lack corporate security controls. Attackers have evolved to use split…

,\n r'bit\\.ly|tinyurl|t\\.co|is\\.gd|cutt\\.ly',\n]\n\n# Known phishing infrastructure patterns\nPHISHING_INFRA_PATTERNS = [\n r'\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}', # IP address URLs\n r'[a-z0-9]{20,}\\.web\\.app', # Firebase hosting abuse\n r'[a-z0-9]{20,}\\.netlify\\.app', # Netlify abuse\n r'[a-z0-9-]+\\.glitch\\.me', # Glitch abuse\n r'[a-z0-9-]+\\.workers\\.dev', # Cloudflare workers abuse\n]\n\n# Common quishing email indicators\nQUISHING_EMAIL_PATTERNS = [\n r'scan\\s+(this|the)\\s+qr\\s+code',\n r'scan\\s+to\\s+(verify|authenticate|confirm|access)',\n r'multi.?factor\\s+authentication',\n r'mfa\\s+(setup|enrollment|reset|update)',\n r'voicemail\\s+(notification|message)',\n r'document\\s+(sign|signing|review)',\n r'security\\s+update\\s+required',\n r'action\\s+required',\n]\n\n\ndef analyze_url(url: str) -> QRCodeFinding:\n \"\"\"Analyze a URL extracted from a QR code for phishing indicators.\"\"\"\n finding = QRCodeFinding(decoded_url=url)\n\n try:\n parsed = urlparse(url)\n finding.domain = parsed.netloc\n except Exception:\n finding.indicators.append(\"Could not parse URL\")\n finding.is_suspicious = True\n finding.risk_score = 50\n return finding\n\n score = 0\n\n # Check suspicious URL patterns\n url_lower = url.lower()\n for pattern in SUSPICIOUS_URL_PATTERNS:\n if re.search(pattern, url_lower):\n finding.indicators.append(f\"Suspicious URL pattern: {pattern}\")\n score += 15\n\n # Check phishing infrastructure patterns\n for pattern in PHISHING_INFRA_PATTERNS:\n if re.search(pattern, url_lower):\n finding.indicators.append(f\"Known phishing infrastructure pattern: {pattern}\")\n score += 25\n\n # Check for URL shorteners (hiding true destination)\n shorteners = ['bit.ly', 'tinyurl.com', 't.co', 'is.gd', 'cutt.ly',\n 'rebrand.ly', 'ow.ly', 'buff.ly']\n if finding.domain in shorteners:\n finding.indicators.append(f\"URL shortener detected: {finding.domain}\")\n score += 20\n\n # Check for IP address URL\n if re.match(r'^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}', finding.domain):\n finding.indicators.append(\"URL uses IP address instead of domain name\")\n score += 30\n\n # Check for excessive subdomains (common in phishing)\n subdomain_count = finding.domain.count('.')\n if subdomain_count > 3:\n finding.indicators.append(f\"Excessive subdomains ({subdomain_count})\")\n score += 15\n\n # Check for homoglyph characters in domain\n non_ascii = [c for c in finding.domain if ord(c) > 127]\n if non_ascii:\n finding.indicators.append(\"Non-ASCII characters in domain (possible homoglyph)\")\n score += 25\n\n # Check protocol\n if not url.startswith('https://'):\n finding.indicators.append(\"URL does not use HTTPS\")\n score += 10\n\n finding.risk_score = min(score, 100)\n finding.is_suspicious = score >= 30\n\n return finding\n\n\ndef scan_image_for_qr(image_path: str) -> list:\n \"\"\"Scan an image file for QR codes and extract URLs.\"\"\"\n findings = []\n\n if not HAS_PIL:\n print(\"Pillow not installed. Install with: pip install Pillow\", file=sys.stderr)\n return findings\n if not HAS_PYZBAR:\n print(\"pyzbar not installed. Install with: pip install pyzbar\", file=sys.stderr)\n return findings\n\n try:\n img = Image.open(image_path)\n decoded_objects = qr_decode(img)\n\n for obj in decoded_objects:\n data = obj.data.decode('utf-8', errors='replace')\n if data.startswith(('http://', 'https://', 'www.')):\n url = data if data.startswith('http') else f'https://{data}'\n finding = analyze_url(url)\n finding.source = image_path\n findings.append(finding)\n else:\n finding = QRCodeFinding(\n source=image_path,\n decoded_url=data,\n indicators=[\"QR code contains non-URL data\"],\n risk_score=10\n )\n findings.append(finding)\n\n except Exception as e:\n print(f\"Error scanning image: {e}\", file=sys.stderr)\n\n return findings\n\n\ndef scan_email_content(eml_content: str) -> QuishingAnalysis:\n \"\"\"Analyze email content for quishing indicators.\"\"\"\n analysis = QuishingAnalysis()\n body_lower = eml_content.lower()\n\n # Check for quishing email patterns\n for pattern in QUISHING_EMAIL_PATTERNS:\n if re.search(pattern, body_lower):\n analysis.email_indicators.append(f\"Quishing language pattern: {pattern}\")\n\n # Check for image-heavy email with minimal text\n text_content = re.sub(r'\u003c[^>]+>', '', eml_content)\n text_content = re.sub(r'\\s+', ' ', text_content).strip()\n has_images = bool(re.search(r'\u003cimg|Content-Type:\\s*image/', eml_content, re.IGNORECASE))\n text_words = len(text_content.split())\n\n if has_images and text_words \u003c 50:\n analysis.email_indicators.append(\n \"Image-heavy email with minimal text (common quishing pattern)\"\n )\n\n # Check for base64-encoded images\n b64_images = re.findall(\n r'Content-Type:\\s*image/\\w+.*?Content-Transfer-Encoding:\\s*base64\\s*\\n\\n([\\w+/=\\n]+)',\n eml_content, re.DOTALL | re.IGNORECASE\n )\n\n if b64_images and HAS_PIL and HAS_PYZBAR:\n for i, b64_data in enumerate(b64_images):\n try:\n clean_data = b64_data.replace('\\n', '')\n img_bytes = base64.b64decode(clean_data)\n import io\n img = Image.open(io.BytesIO(img_bytes))\n decoded = qr_decode(img)\n for obj in decoded:\n data = obj.data.decode('utf-8', errors='replace')\n if data.startswith(('http://', 'https://')):\n finding = analyze_url(data)\n finding.source = f\"embedded_image_{i}\"\n analysis.findings.append(finding)\n analysis.qr_codes_found += 1\n except Exception:\n continue\n\n # Calculate overall risk\n indicator_count = len(analysis.email_indicators)\n has_suspicious_qr = any(f.is_suspicious for f in analysis.findings)\n\n if has_suspicious_qr and indicator_count >= 2:\n analysis.overall_risk = \"critical\"\n analysis.recommended_action = \"BLOCK and alert SOC\"\n elif has_suspicious_qr or indicator_count >= 3:\n analysis.overall_risk = \"high\"\n analysis.recommended_action = \"QUARANTINE for manual review\"\n elif indicator_count >= 1:\n analysis.overall_risk = \"medium\"\n analysis.recommended_action = \"TAG with QR phishing warning banner\"\n else:\n analysis.overall_risk = \"low\"\n analysis.recommended_action = \"DELIVER normally\"\n\n return analysis\n\n\ndef format_report(analysis: QuishingAnalysis) -> str:\n \"\"\"Format analysis as readable report.\"\"\"\n lines = []\n lines.append(\"=\" * 60)\n lines.append(\" QR CODE PHISHING (QUISHING) ANALYSIS REPORT\")\n lines.append(\"=\" * 60)\n lines.append(f\" QR Codes Found: {analysis.qr_codes_found}\")\n lines.append(f\" Overall Risk: {analysis.overall_risk.upper()}\")\n lines.append(f\" Action: {analysis.recommended_action}\")\n\n if analysis.email_indicators:\n lines.append(f\"\\n [EMAIL INDICATORS] ({len(analysis.email_indicators)})\")\n for i, ind in enumerate(analysis.email_indicators, 1):\n lines.append(f\" {i}. {ind}\")\n\n if analysis.findings:\n lines.append(f\"\\n [QR CODE FINDINGS] ({len(analysis.findings)})\")\n for i, finding in enumerate(analysis.findings, 1):\n lines.append(f\" {i}. URL: {finding.decoded_url}\")\n lines.append(f\" Domain: {finding.domain}\")\n lines.append(f\" Risk Score: {finding.risk_score}/100\")\n lines.append(f\" Suspicious: {'YES' if finding.is_suspicious else 'No'}\")\n for ind in finding.indicators:\n lines.append(f\" - {ind}\")\n\n lines.append(\"=\" * 60)\n return \"\\n\".join(lines)\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"QR Code Phishing Detection\")\n subparsers = parser.add_subparsers(dest=\"command\")\n\n img_parser = subparsers.add_parser(\"scan-image\", help=\"Scan image for QR codes\")\n img_parser.add_argument(\"--image\", required=True)\n\n eml_parser = subparsers.add_parser(\"scan-email\", help=\"Scan email for quishing\")\n eml_parser.add_argument(\"--eml-file\", required=True)\n\n url_parser = subparsers.add_parser(\"check-url\", help=\"Check URL from QR code\")\n url_parser.add_argument(\"--url\", required=True)\n\n parser.add_argument(\"--json\", action=\"store_true\")\n args = parser.parse_args()\n\n if args.command == \"scan-image\":\n findings = scan_image_for_qr(args.image)\n analysis = QuishingAnalysis(\n source_file=args.image,\n qr_codes_found=len(findings),\n findings=findings\n )\n if args.json:\n print(json.dumps(asdict(analysis), indent=2))\n else:\n print(format_report(analysis))\n\n elif args.command == \"scan-email\":\n with open(args.eml_file, 'r', errors='replace') as f:\n content = f.read()\n analysis = scan_email_content(content)\n analysis.source_file = args.eml_file\n if args.json:\n print(json.dumps(asdict(analysis), indent=2))\n else:\n print(format_report(analysis))\n\n elif args.command == \"check-url\":\n finding = analyze_url(args.url)\n if args.json:\n print(json.dumps(asdict(finding), indent=2))\n else:\n print(f\"URL: {finding.decoded_url}\")\n print(f\"Domain: {finding.domain}\")\n print(f\"Risk Score: {finding.risk_score}/100\")\n print(f\"Suspicious: {'YES' if finding.is_suspicious else 'No'}\")\n for ind in finding.indicators:\n print(f\" - {ind}\")\n\n else:\n parser.print_help()\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":11736,"content_sha256":"acb975da3b86e6e131f3674d728f6f6dd00d01eeb5d5fd5aa141ab95d856ac09"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Detecting QR Code Phishing with Email Security","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"QR code phishing (quishing) is a rapidly growing attack vector where malicious URLs are embedded in QR code images within phishing emails. Quishing incidents grew fivefold from 46,000 to 250,000 between August and November 2025, with credential phishing comprising 89.3% of detected incidents. Traditional email security filters struggle because QR codes cannot be read by humans or standard URL scanners, and when scanned, users typically use personal mobile devices that lack corporate security controls. Attackers have evolved to use split QR codes (two separate images), nested QR codes, and ASCII text-based QR codes to evade detection.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When investigating security incidents that require detecting qr code phishing with email security","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When building detection rules or threat hunting queries for this domain","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When SOC analysts need structured procedures for this analysis type","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When validating security monitoring coverage for related attack techniques","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Email security gateway with image analysis capabilities","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Understanding of QR code structure and encoding","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Mobile device management (MDM) or mobile threat defense solution","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security awareness training program","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SIEM platform for correlation and alerting","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Key Concepts","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Why Quishing Works","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Bypasses URL Scanners","type":"text","marks":[{"type":"strong"}]},{"text":": Traditional gateways scan text-based URLs but cannot decode image-embedded URLs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Shifts to Unprotected Devices","type":"text","marks":[{"type":"strong"}]},{"text":": Corporate email arrives on secured systems but QR scan occurs on personal mobile devices","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"User Trust","type":"text","marks":[{"type":"strong"}]},{"text":": QR codes are normalized in daily life (payments, menus, parking)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Low Detection Rate","type":"text","marks":[{"type":"strong"}]},{"text":": Only 36% of quishing incidents are accurately identified by recipients","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Evasion Techniques (2025)","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Split QR Codes","type":"text","marks":[{"type":"strong"}]},{"text":": QR code divided into two separate images that look benign individually (Gabagool PhaaS kit)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Nested QR Codes","type":"text","marks":[{"type":"strong"}]},{"text":": QR code within a QR code, with first scan leading to intermediate page","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"ASCII QR Codes","type":"text","marks":[{"type":"strong"}]},{"text":": QR rendered as text characters instead of images, bypassing image analysis (12% of attacks in Jan 2026)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Styled/Artistic QR Codes","type":"text","marks":[{"type":"strong"}]},{"text":": Custom-designed QR codes with logos that evade pattern matching","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"PDF Attachment QR","type":"text","marks":[{"type":"strong"}]},{"text":": QR code embedded in PDF attachment rather than email body","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Detection Challenges","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Pattern-based detection faces trade-off: aggressive tuning causes false positives, cautious tuning causes misses","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Average similarity score of 0.209 between quishing and legitimate QR emails","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"QR codes in image attachments require OCR and deep image processing","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Enable Image-Based Threat Detection","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure email gateway to scan embedded images for QR codes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable OCR processing on image attachments (PNG, JPG, GIF, BMP)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deploy multimodal AI that combines image processing, OCR, and NLP analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure PDF scanning to detect QR codes within attachments","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Set up detection for ASCII/text-based QR code rendering","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Configure QR Code URL Analysis","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Extract URLs from detected QR codes and submit to URL reputation services","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Apply same URL scanning policies to QR-extracted URLs as text-based URLs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable real-time sandbox analysis for QR-decoded destination pages","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure time-of-click protection for QR-extracted URLs where possible","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Block known phishing domains extracted from QR codes","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Deploy Mobile-Side Protection","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Implement mobile threat defense (MTD) with QR code scanning capability","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Deploy Palo Alto ALFA or equivalent safe-by-design QR scanning","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure MDM policies to warn users before opening scanned URLs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable corporate VPN/secure browser for QR-scanned destinations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Block known credential harvesting domains at the mobile proxy level","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Build Detection Rules","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Alert on emails containing only an image and minimal text (common quishing pattern)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Flag emails with QR code images from external first-time senders","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Detect urgency language combined with QR code presence","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Alert on emails impersonating IT/security team requesting QR scan for MFA setup","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitor for common quishing themes: MFA reset, document signing, voicemail notification","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Train Users on Quishing Recognition","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Update security awareness program to include QR code phishing scenarios","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Conduct quishing simulation campaigns using controlled QR codes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Teach users to verify QR destination URLs before entering credentials","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Establish reporting process for suspicious QR code emails","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Distribute guidance on safe QR scanning practices","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools & Resources","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Barracuda Multimodal AI","type":"text","marks":[{"type":"strong"}]},{"text":": OCR + deep image processing for QR detection","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Palo Alto ALFA","type":"text","marks":[{"type":"strong"}]},{"text":": Safe-by-design QR code scanning assessment","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Microsoft Defender for O365","type":"text","marks":[{"type":"strong"}]},{"text":": QR code detection in email images","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Proofpoint TAP","type":"text","marks":[{"type":"strong"}]},{"text":": Image-based threat analysis with QR decoding","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Lookout/Zimperium","type":"text","marks":[{"type":"strong"}]},{"text":": Mobile threat defense with QR scanning","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Validation","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"QR code phishing emails detected in controlled testing","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Split QR code and ASCII QR code evasion techniques caught","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"QR-extracted URLs submitted to sandbox analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Mobile devices alert on malicious QR destinations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"User reporting rate for quishing simulations exceeds 50%","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"False positive rate for QR detection below 1%","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"detecting-qr-code-phishing-with-email-security","tags":["quishing","qr-code","phishing","email-security","image-analysis","ocr","mobile-security"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/detecting-qr-code-phishing-with-email-security/SKILL.md","repo_owner":"mukul975","body_sha256":"f9b6131de569b46dfd105646cfa6f1cf7437736c8e6cdcea826fdad6978404c4","cluster_key":"6d99a07e9ddf60656abd89f2b3167905442a920185dba0288d82013fb2ab8e54","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/detecting-qr-code-phishing-with-email-security/SKILL.md","attachments":[{"id":"d9242911-0942-5621-83d6-39c08eb203ae","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/d9242911-0942-5621-83d6-39c08eb203ae/attachment.md","path":"assets/template.md","size":1502,"sha256":"d74e563126bed2b302d57d0ccece759e919e5af4a234ac0a9cec373f808fbfa6","contentType":"text/markdown; charset=utf-8"},{"id":"9a852845-6707-5921-a204-2dda9a2f61a0","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/9a852845-6707-5921-a204-2dda9a2f61a0/attachment.md","path":"references/api-reference.md","size":2445,"sha256":"6708b7e8e7c8d3473b656f06d304edf3dff34bf2729ce1da445ce1c1b104dfa1","contentType":"text/markdown; charset=utf-8"},{"id":"6d8c4d13-0f34-54d4-827a-19c6530c739f","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/6d8c4d13-0f34-54d4-827a-19c6530c739f/attachment.md","path":"references/standards.md","size":1668,"sha256":"7060388f3eb5c657c75e719da081c92f203cf1aadac4fe5eb06879e519774da7","contentType":"text/markdown; charset=utf-8"},{"id":"fd490798-05cb-51be-9c2e-211675613f54","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/fd490798-05cb-51be-9c2e-211675613f54/attachment.md","path":"references/workflows.md","size":2558,"sha256":"50a9fcdf5e9e3d1cf7f5e2cda86c9a64f948d134c6609347d7e3c68bc309ab4a","contentType":"text/markdown; charset=utf-8"},{"id":"54ba45f8-4a2e-5133-8561-f7ab4d5ced11","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/54ba45f8-4a2e-5133-8561-f7ab4d5ced11/attachment.py","path":"scripts/agent.py","size":6055,"sha256":"5e48944189fdceaecc6bf52ef848343a70867aa536805e7af2a07b7ef40e3716","contentType":"text/x-python; charset=utf-8"},{"id":"496fb9f0-1256-503d-8286-f88358714f23","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/496fb9f0-1256-503d-8286-f88358714f23/attachment.py","path":"scripts/process.py","size":11736,"sha256":"acb975da3b86e6e131f3674d728f6f6dd00d01eeb5d5fd5aa141ab95d856ac09","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"63752e77897de3f76fd0fbd985001c3c9b949e09604c56a3a22aed9c2715ff01","attachment_count":6,"text_attachments":6,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/detecting-qr-code-phishing-with-email-security/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["PR.AT-01","DE.CM-09","RS.CO-02","DE.AE-02"],"subdomain":"phishing-defense","import_tag":"clean-skills-v1","description":"Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious URLs in QR code images within emails.","nist_ai_rmf":["MEASURE-2.8","MAP-5.1"],"atlas_techniques":["AML.T0052","AML.T0024","AML.T0035"]}},"renderedAt":1782981217698}

Detecting QR Code Phishing with Email Security Overview QR code phishing (quishing) is a rapidly growing attack vector where malicious URLs are embedded in QR code images within phishing emails. Quishing incidents grew fivefold from 46,000 to 250,000 between August and November 2025, with credential phishing comprising 89.3% of detected incidents. Traditional email security filters struggle because QR codes cannot be read by humans or standard URL scanners, and when scanned, users typically use personal mobile devices that lack corporate security controls. Attackers have evolved to use split…