Security researchers at Barracuda Networks have discovered two novel QR code phishing (quishing) techniques involving splitting malicious QR codes into two parts or embedding them into legitimate ones.
They detailed their findings in a new report, Threat Spotlight: Split and nested QR codes fuel new generation of ‘Quishing’ attacks, published on August 20.
QR Code Splitting Explained
The Barracuda researchers observed that operators of Gabagool, a phishing-as-a-service (PhaaS) kit, have recently started using a new technique to help malicious QR codes evade detection.
The technique involves splitting a QR code into two separate images and embedding them in a phishing email. When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code.
To the recipient of the email, the QR code in the message looks complete and can be scanned to direct the user to a phishing page designed to steal their Microsoft login credentials. However, when looking at the visual in HTML, it comprises two different images.
Example of the use of the QR code splitting technique. Source: Barracuda Networks
“Barracuda threat analysts recently found Gabagool attackers implementing split QR codes in an attack that began as a standard fake Microsoft ‘password reset’ scam. The attackers’ use of highly tailored messages suggests they’d previously implemented a successful conversation hijacking attack against the target,” the report reads.
QR Code Nesting Explained
The researchers also found that the operators of another PhaaS, Tycoon, were using a different, equally unreported technique to help malicious QR codes evade detection.
In practice, the malicious QR code is embedded within or around a legitimate QR code.
In one instance observed by Barracuda, the outer QR code points to a malicious URL, while the inner QR code leads to Google.
Example of the use of the QR code nesting technique. Source: Barracuda Networks
“This technique can make it harder for scanners to detect the threat because the results are ambiguous,” wrote the Barracuda researchers.
Multimodal AI-Powered Email Protection to Defend Against Quishing
The Barracuda report concludes with key recommendations to defend against emerging quishing attacks, emphasizing a defense-in-depth approach to email security.
Beyond foundational measures like security awareness training, multifactor authentication (MFA) and advanced spam and malware filtering, the researchers argued that organizations should adopt multi-layered email protection powered by multimodal AI to counter fast-evolving threats.
This AI-driven approach strengthens detection by:
- Visually scanning attachment images to identify embedded QR codes
- Decoding QR payloads and analyzing linked URLs or malicious content
- Safely executing suspicious links in isolated sandbox environments to observe real-time malicious activity
- Leveraging machine learning to scrutinize QR code structures and pixel anomalies, even without extracting the embedded data
No tags.
