Meta Lede: QR code phishing doubled in Q1 2026, making it the fastest-growing attack vector. Here’s why quishing bypasses email security and what stops it.
Your email security gateway caught 8.3 billion phishing threats in Q1 2026. It almost certainly missed the fastest-growing one.
QR code phishing, known as “quishing,” more than doubled in Q1 2026, according to Microsoft’s Q1 2026 Email Threat Landscape Report released April 30, 2026. It is now the fastest-growing attack vector in email-based threat data. The reason it bypasses your existing defenses is by design: QR codes contain no URL, only an image. Legacy email scanners that analyze link reputation and URL patterns have nothing to analyze. The malicious destination is invisible to automated scanning tools until the victim’s phone decodes it.
And that phone, in virtually every enterprise environment, has far weaker security controls than the corporate laptop sitting next to it.
This post explains exactly how QR code phishing 2026 works, why it is so difficult to detect with standard tools, and what security teams can add to close the gap.
What Is QR Code Phishing (Quishing)?
Quishing is a phishing attack that uses QR codes instead of embedded hyperlinks as the delivery mechanism. Rather than including a malicious URL that email security gateways can inspect and block, the attacker embeds a QR code image in the email or physical medium. The code itself contains the malicious URL, but this URL is not readable by text-based email scanning tools.
The victim scans the QR code with their mobile device, which resolves the URL and delivers the phishing payload or credential harvesting page. Because mobile devices typically operate on personal or unmanaged networks (home Wi-Fi, cellular data) and lack enterprise-grade endpoint protection, the payload executes in an environment with significantly weaker security controls than the corporate perimeter.
Between Q1 2026, a multi-stage campaign targeted 35,000 users across 26 countries using QR-linked payloads as the primary delivery mechanism.
Why QR Code Phishing Doubles in Q1 2026
The Email Security Bypass Architecture
The core reason quishing is growing is that it was engineered specifically to defeat email security gateways. Standard email security controls that fail against quishing include:
- URL reputation scanning: No URL is present in the email body; the QR code is an image
- Link rewriting and sandboxing: Cannot rewrite what does not appear as a link
- Content analysis: The malicious destination is encoded in the image, not accessible to text analysis
- Attachment scanning: A QR code image does not match malware signatures
The email that delivers a QR phishing payload can pass every standard email security check with a perfect score.
CAPTCHA-Gated Payloads: A Secondary Evasion Layer
Microsoft’s Q1 2026 data documents a parallel evolution: CAPTCHA-gated phishing, which grew rapidly alongside quishing in Q1. After the victim scans the QR code and loads the phishing page, the page requires a CAPTCHA completion before displaying the credential harvesting form. This prevents automated security analysis tools from reaching the payload page, making sandbox-based detection ineffective.
The Mobile Device Security Gap
The QR scanning device is typically a personal smartphone. In most enterprise environments:
- Personal smartphones are not enrolled in Mobile Device Management (MDM)
- They operate on personal networks outside enterprise security monitoring
- They lack the endpoint protection installed on corporate laptops
- Browser-level phishing protections on mobile are less mature than on desktop
Physical Environment Expansion
Quishing is no longer confined to email. In 2026, QR codes are being deployed as attack vectors in physical environments:
- Fake QR codes pasted over legitimate ones at parking payment stations
- Malicious QR codes embedded in conference badge lanyards and event materials
- Phishing QR codes placed on posters in office reception areas and public spaces
- Fake package delivery notifications with QR codes sent via physical mail
The 2026 Quishing Threat Landscape: By the Numbers
| Metric | 2026 Data Point |
| QR phishing growth, Q1 2026 | More than doubled quarter-over-quarter |
| Total email phishing threats, Q1 2026 | 8.3 billion detected by Microsoft |
| BEC attacks total, Q1 2026 | 10.7 million (January surge 24%, March surge 26%) |
| Multi-country campaign scale | 35,000 users targeted across 26 countries with QR payloads |
| Hyper-personalized AI phishing detection rate | Under 3% by standard security tools |
How Peris.ai Defends Against Quishing Attacks
AI-Powered Phishing Response with BrahmaFusion
BrahmaFusion, Peris.ai’s agentic AI and hyperautomation platform, automates the response to phishing alerts including quishing incidents. When a user reports a QR phishing email or an anomalous mobile login is detected following QR code scanning, BrahmaFusion triggers a response playbook: the suspicious email is quarantined across all recipients, the session credentials are flagged for forced re-authentication, the QR code image is extracted and submitted for reputation analysis, and the SOC is notified with a fully enriched alert package.
Mobile and Endpoint Detection with XDR
Peris.ai’s XDR platform extends detection to cover mobile and endpoint behavior following QR code interactions. When a device accesses a newly registered domain immediately after a QR code was reported in the environment, or when credential entry is followed immediately by an anomalous login from an unusual location, XDR correlates these signals into a high-confidence alert.
Campaign Tracking with INDRA CTI
INDRA CTI, Peris.ai’s threat intelligence platform, tracks active quishing campaigns in real time: QR code infrastructure domains, campaign-specific payload patterns, and threat actor attribution for organized quishing operations.
Simulated Quishing Testing with Pandava
Pandava, Peris.ai’s penetration testing platform, includes simulated quishing attacks as part of social engineering assessment programs.
Real-World Scenario: A Quishing Attack Against a Finance Team
A finance director at a regional bank receives an email appearing to come from the bank’s IT department:
- The email explains that multi-factor authentication is being upgraded and provides a QR code to complete enrollment
- The email passes all email security gateway checks (no URL, no malware signature, trusted sender display name)
- The finance director scans the QR code during a commute using their personal smartphone
- The QR code resolves to a CAPTCHA-gated credential harvesting page mimicking the bank’s MFA portal
- The finance director completes the CAPTCHA and enters their username, password, and MFA code
- Attackers use the harvested credentials within 4 minutes to initiate a session on the corporate banking platform
- $380,000 is transferred to an external account before the session triggers a behavioral alert
With Peris.ai: BrahmaFusion detects the anomalous login and forces re-authentication. INDRA CTI flags the destination domain as a known quishing campaign infrastructure. The transfer is blocked pending manual approval.
Quishing Defense Checklist
| Control | Why It Helps |
| QR-aware email security | Detect and sandbox QR code images before delivery |
| Mobile Device Management | Extend endpoint security to devices used for QR scanning |
| Behavioral login anomaly detection | Catch credential misuse following successful quishing |
| Real-time campaign threat intel | Block known quishing domains before victims access them |
| Simulated quishing training | Build staff recognition before real attackers test them |
Conclusion
QR code phishing doubled in Q1 2026 for the same reason any attack vector grows: it works. It bypasses email security gateways by design, exploits the security gap of unmanaged mobile devices, and is now expanding beyond email into physical environments.
Peris.ai’s combination of BrahmaFusion automated response, XDR behavioral detection, and INDRA CTI campaign intelligence gives security teams the multi-layer coverage needed to catch quishing attacks at the delivery, credential theft, and post-compromise stages.
Don’t wait for a breach to take action. Secure your organization today. Stay Secure with Peris.ai.
Frequently Asked Questions
What is QR code phishing (quishing)?
Quishing is a phishing attack that uses QR codes instead of embedded URLs to deliver malicious payloads. The QR code contains the malicious destination but appears as an image to email scanning tools, bypassing URL-based security checks.
How much did QR code phishing grow in 2026?
According to Microsoft’s Q1 2026 Email Threat Landscape Report, QR code phishing more than doubled in Q1 2026, making it the fastest-growing attack vector in email-based threat data for the quarter.
Why does quishing bypass email security gateways?
Email security gateways analyze text-based content, URLs, and file attachments. QR codes are images that contain no readable URL, so gateway tools have nothing to inspect or block.
What is CAPTCHA-gated phishing?
CAPTCHA-gated phishing places a CAPTCHA verification step between the victim and the credential harvesting page. This prevents automated security analysis tools from reaching the malicious payload, making sandbox-based detection ineffective.
How can organizations protect against quishing attacks?
Effective defenses include QR-aware email security, mobile device management, behavioral login anomaly detection, real-time threat intelligence to block known quishing domains, and simulated quishing exercises to train employees.
Leave a Reply