Recently, we've seen a lot of news about Quishing--or QR Code phishing. This is when the link behind a QR code is malicious, but the QR code itself is not. There was a report of a major U.S. energy firm targeted by a QR phishing code. Other reports have noticed an uptick in these types of attacks. 

We've seen some nascent email security providers write about how they were first to market with QR code phishing detection in the last few weeks.

Yet we at Avanan have been doing this since 2019. Yet another example of using ahead of the curve.

One of our partners, SEP2, wrote about a phishing attack that we stopped. Here's what it looked like:

docusign phishing attempt


This email impersonated a DocuSign e-signature request. It asks the user to scan the QR code and get redirected to the website.

The built-in security tool missed this. But Avanan knew it was a QR code, decoded it, found that it linked to a URL shortening site as a further layer of obfuscation, and took that to a drive-by download of malware and a credential harvesting page. 

url sandbox

We've been at the forefront of email innovation since we started, and our ability to decode QR codes--malicious or otherwise--is yet another example of that.