Defender for Office 365 and QR-code phishing

There is no way to tell with an human eye what those QR codes are, even in the picture above, there are two than can be read with your phone and no they are not malicious, try it for yourself.

Let’s dig a bit deeper.

What are QR-codes?

QR codes, short for Quick Response codes, are two-dimensional barcodes that can store a significant amount of information in a compact space. Here’s a deeper look at their technical aspects:


  • Modules: A QR code is composed of square black and white modules arranged in a grid on a white background. Each module represents one bit of data (0 or 1).
  • Function Patterns: Several special patterns are embedded within the QR code for proper functioning:
    • Finder Patterns: Three large squares located in the bottom left, top left, and top right corners help the scanner identify the code’s orientation and position.
    • Alignment Patterns: Smaller squares strategically placed within the grid assist with correcting any slight distortions during scanning.
    • Version Information: A dedicated area stores information about the QR code’s version (size and complexity) for error correction purposes.
    • Format Information: This area specifies the character set used for encoding (e.g., numeric, alphanumeric) and the error correction level applied.
  • Data and Error Correction Codes: The remaining area of the grid holds the actual data and additional error correction codewords. These codewords allow the scanner to reconstruct missing or corrupted data bits, ensuring reliable information retrieval.

Data Encoding:

QR codes can store various data types using different encoding modes:

  • Numeric Mode: Most efficient for storing numbers (0-9).
  • Alphanumeric Mode: Efficient for storing alphanumeric characters (uppercase and lowercase letters, numbers, and symbols like $%*+-.).
  • Byte Mode: Stores raw binary data (ideal for URLs or small images).
  • Kanji Mode: Primarily used in Japanese for storing Kanji characters.

Error Correction:

QR codes employ Reed-Solomon error correction, a powerful technique that adds redundant data to the code. This allows the scanner to detect and correct errors introduced during printing, transmission, or scanning, ensuring data integrity.


QR codes come in different versions (1-40) with increasing complexity (grid size and number of modules). Higher versions can store more data but require a larger scan area. The version information embedded in the code helps the scanner determine the appropriate decoding process.


  • High Data Capacity: Compared to traditional barcodes, QR codes offer significantly higher data storage capacity.
  • Error Correction: Error correction ensures reliable data retrieval even with slight damage or distortion.
  • Fast Readability: Modern scanners can decode QR codes quickly and accurately.
  • Versatility: QR codes can store various data types, making them suitable for diverse applications.

Users scan the code with their device’s camera, revealing the information.

How to create one easily?

Right-click on the page, this works with all Chromium-based browser, most familiar Edge and Chrome

Why they are dangerous?

User ActivitiesConsuming: Viewing menus, documents, etc. (Most common)
Sharing: Verifying information (boarding passes, tickets)
Generating: Less common (e.g., pairing devices)
Actions triggered:Open websites
Download apps
Join Wi-Fi networks
Verify information
Create contacts
Send messages
Dial phone numbers
Risks:Tracking by websites
Metadata collection
Financial data exposure
Malware infection
Phishing scams
Attack Vectors:Cloning: Fake codes redirecting to malicious sites.
Leveraging: Codes leading to phishing or malware sites.
Advertising: Malicious codes placed in public areas.
Quishing: Phishing emails using QR codes.
Scanner Apps: Third-party apps spreading malware.
Reducing Risks:Use private browsing mode
Verify website URLs before entering login information
Disable cookies and site data storage
Minimize information entered in online forms. Ask for privacy policies before scanning
Report suspected fraud.
Protecting Devices:Require permission before launching QR code actions
Close web browsers for suspicious sites
Enable automatic device updates.
Actions to Avoid:Automatic code execution
Scanning codes in public settings
Scanning codes under labels (verify with staff)
Scanning codes from unknown emails/texts
Using unknown QR scanner apps
Prioritizing convenience over security (typing URLs instead of scanning).

Quishing utilizes maliciously crafted QR codes that exploit a smartphone’s camera functionality. These codes, upon scanning, redirect users to phishing websites designed to steal credentials or deliver malware payloads through drive-by downloads or social engineering tactics.

QR code phishing is on the rise, targeting large groups within organizations with diverse goals:

  • Steal Logins: Attackers grab usernames, passwords, and session tokens to bypass security.
  • Spread Malware: Scanning the code infects your device with harmful software.
  • Steal Money: Fake payment gateways or bank sites trick you into giving up financial information.

Why It’s Scary:

  • Massive & Evolving: Attacks target many users and change tactics quickly.
  • Hard to Detect: QR codes hide in emails, making traditional security miss them.
  • Outside the Walls: Scans often happen on personal devices, lacking security controls.

Defender for Office 365 to the rescue?

It analyzes user behavior, email content, and login attempts to identify suspicious activity. Blocks attacks before they hit by spotting patterns across these signals.

Detection MethodDescriptionBenefits
Image DetectionIdentifies hidden QR codes within emails.Stops attackers from hiding malicious URLs in QR codes.
URL AnalysisExtracts URLs from QR codes and analyzes them for threats.Ensures embedded URLs are safe before users click on them.
Machine Learning AnalysisUses AI to assess URL risk.Provides advanced threat detection capabilities.
Reputation CheckCompares URLs against security databases.Identifies known phishing or malicious websites.
SandboxingTests suspicious URLs in a secure environment.Safely detonates potential threats before they reach users.
Threat Signals AnalysisAnalyzes various email signals beyond QR codes:Creates a comprehensive picture of email legitimacy.
Sender ReputationEvaluates sender trustworthiness.Identifies suspicious emails from unknown or risky senders.
Message Headers & Recipient DetailsExamines email structure and recipient information.Detects inconsistencies that might indicate phishing attempts.
Content FilteringAnalyzes email content for red flags.Identifies suspicious language or formatting used in phishing scams.
Relationship AnalysisIdentifies connections between email signals.Uncovers patterns that suggest phishing attempts.
Heuristics-Based RulesEmploys adaptable rules to block malicious emails quickly.Responds swiftly to evolving phishing tactics.

Real-World Impact

  • Millions of QR code phishing attempts blocked daily.
  • Over 18 million unique phishing emails with QR codes stopped weekly.
  • Over 96% of QR code phishing attempts thwarted in enterprise emails.

Defender for Office 365 offers a multi-layered defense system that effectively combats QR code phishing, safeguarding users from malicious attacks.

Security Exposure Management

See your recommendations from

And to limit it even more, use those filters

You can manage the actions directly from the recommendations page

And you direct link to Learn articles, easy as that!

If you are wondering what is Secure score compares to this, read more from Learn and it will be clear as sky.

And finally, to do some hunting, read this excellent, must read article from Steven Lim.

And what to do if you are affected by Quishing?


Businesses need to be aware of this growing threat. As the first security measure, you should train users to identify suspicious emails and avoid scanning untrusted QR codes.

Try it out yourself, it’s so easy to get fooled with QR-codes, eyes open and investigate them logs community members!

You still want to scan this QR code, don’t you? Go ahead, it’s still not malicious, I promise.

Author: Harri Jaakkonen