Hackers have figured out how to bypass every protection at once.
Since late 2024, researchers at Unit 42 have observed a new wave of phishing attacks in which cybercriminals are increasingly relying on QR codes instead of traditional links. Rather than clicking a suspicious URL in an email, the victim is now prompted to scan a QR code — making the attack both less detectable by security systems and more convincing for the target.
The key to these new tactics is the use of redirects through legitimate websites. Malicious links are hidden behind redirection mechanisms of well-known platforms, including Google, which helps deceive both users and automated scanners. In some cases, the phishing target is carefully pre-selected — attackers use the recipient’s actual email address to enhance credibility and increase the chance of success.
The main difference from classic phishing is the shift of action to the victim’s personal device. The user receives an email disguised as a notification from DocuSign or Adobe Acrobat Sign and sees a QR code prompting them to scan it to sign a document. After scanning, they are taken to a fake login page styled to mimic services like SharePoint, Microsoft 365, or other familiar platforms — with their email address already pre-filled, requiring only the password.
Example of a phishing email (left) and fake Microsoft login page (right) – Palo Alto Unit 42
These phishing documents are often disguised as messages from HR departments, bonus notifications, salary updates, or other topics designed to draw attention. To make them more convincing, attackers use company logos, spoofed email addresses, and corporate-style formatting. Such emails can easily bypass corporate email protections because the actual interaction happens via a smartphone camera, not through a clickable link.
In addition to hiding behind legitimate services, cybercriminals have begun using user verification mechanisms. These systems discreetly confirm that the visitor is a real person and not a bot — without requiring captchas or puzzles. This allows the phishing site to bypass automated scanners, while guiding real users through a chain of redirects to the final malicious page.
Sometimes, if the system detects suspicious access, the victim is redirected not to the phishing page, but to a Google error page. This helps obscure the attack infrastructure and complicates analysis. The real phishing page may only be accessible under very specific conditions, such as using a pre-identified email address.
On these fake login pages, the victim sees their email already filled in, and the system rejects random usernames, displaying an error message. This indicates highly targeted attacks, prepared for specific individuals or companies.
QR-based phishing attacks are affecting a wide range of industries: healthcare, energy, education, automotive, and finance. Experts warn that these schemes are becoming increasingly sophisticated, demanding greater vigilance from users and more advanced strategies from security systems. Simply checking a link before clicking is no longer enough — the URL is hidden behind an image, and standard tools can’t detect it.
