CyberWire Daily - A QRazy clever scam. [Research Saturday]
Episode Date: April 25, 2026This week, we are joined by Juliana Testa, Senior Security Engineer from 7AI, sharing their work on "Quish Splash - When the QR Code Is the Weapon: A Multi-Wave Phishing Campaign That Slipped Past Eve...ry Filter." A large-scale “quishing” campaign used QR codes embedded in image attachments to hide phishing URLs, allowing 28 out of 33 emails to bypass SPF, DKIM, DMARC, and Microsoft Defender and land directly in inboxes. Each recipient received a unique QR code and tracking ID, defeating traditional detection methods and enabling attackers to scale the campaign to over 1.6 million emails across multiple organizations while shifting execution to less-secure mobile devices. The attack was ultimately uncovered through AI-driven alerting combined with human analysis and threat hunting, highlighting a major blind spot in email security and the need for QR code inspection, mobile protections, and tighter auto-reply controls. The research and executive brief can be found here: Quish Splash - When the QR Code Is the Weapon: A Multi-Wave Phishing Campaign That Slipped Past Every Filter. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Quick question. Have you watched Project Hail Mary yet?
Humanity is facing an existential threat and racing to solve it with the clock ticking.
For security teams, that probably hits close to home with AI use, rapidly spreading.
Everyone's using AI, marketing, sales, engineering.
Chris the intern without security even knowing about it.
That's where Nudge Security.
comes in. Nudge finds shadow AI apps, integrations, and agents on day one and helps you enforce
policy without blocking productivity. Try it free at nudgesecurity.com slash cyberwire.
Hello everyone and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is
our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
But there is something kind of weird about it.
It was a really large email file.
The attachment was exclusively a PDF, but it appeared to also have image content that the AI within our product was pointing out.
That's Juliana Testa, senior security engineer from 7A.I.
The research we're discussing today is titled Quish Splash.
when the QR code is the weapon,
a multi-wave fishing campaign that slipped past every filter.
And so one of our MDR analysts actually brought this up to me,
was like, hey, I think, you know, something interesting is going on with this.
I think this is a true positive.
And I was like, okay.
So we start to dive deeper.
And what we actually find is as we start to query with the AI,
you know, our product is an AI agentic system that, you know,
can, one, do investigations independently,
also allow analysts to do further investigation.
So that's what we were doing.
And one of the interesting things that happened is the deeper we dug, the bigger the scale
this was, the more emails that this particular email address that we had recognized as a
true positive was sending.
And then we started actually looking at the raw eML.
And that's when we started to notice the embedded QR code.
We looked at the PDF.
This again, a embedded QR code in the PDF doc itself.
And that's when we started to notice, not only had this successfully got to folks's inboxes,
but it had also gotten by the existing URL scans from like a Microsoft Defender's standpoint.
Well, for folks who might not be familiar with the term, can you unpack what exactly quishing is?
Yeah, absolutely.
So the idea here is classical fishing being a method that attackers can use to try to do social engineering.
in order to get users and victims to click on links.
That's typically how you would classically think of this.
Click on links, send information, some kind of call to action.
And QR code fishing, questioning is similar.
However, instead of actually using a URL, which most security tools are really good at scanning for,
this is an image that's either embedded as part of the email, almost like a signature or as an attachment.
and the QR code itself has an encoding of a URL,
but it's not visually accessible to most security scanning tools.
So that QR code, you scan it with your phone typically.
It takes you to a URL in a domain,
and that's kind of where the attack occurs.
It's able to either download software,
take you to a malicious domain,
and do other nefarious actions just using that encoded URL.
Well, let me highlight an aspect of that
and dig in a little bit with you.
And that's the role that mobile devices played in helping this campaign slip past most people's defenses.
Yeah, you're absolutely right.
That's one of the most powerful parts about Grishing as a whole is typically when people scan QR codes,
they don't realize that they can scan it with their local device, with their laptop, for example,
where they've received the email.
But most people are very used to, let's say at restaurants, especially after COVID,
scanning a QR code on a table and going to the link that it directs you to.
So it's actually become a really natural process for people to be like,
oh, that's a QR code, that has a link.
Let me go ahead and scan it and see where it takes me.
And they'll do it on their personal devices,
which are no longer going to be under the detection and the security of their enterprise networks
with things like CrowdStrike or other EDR tools.
Now, these emails, they passed through a lot of checks.
I mean, things like SPF and Demark and Defender.
How unusual is it for a campaign to be able to jump through those hoops?
So that was actually really surprising.
And upon first glance, I was like, oh, it's very interesting that it is able to get through that.
And it wasn't until we dug a little deeper that we understood why.
It's actually extremely unusual.
Typically, what you'll find is most fishing campaigns will fail at least one of those.
And if it doesn't fail at least one of those, it typically fails on the side of how old the domain is
in which they're sending emails from.
So in a classical campaign,
you'll see failures to security headers
like the ones that you mentioned.
And then the other thing that happens
is typically the domain that people are emailing from
will be registered within maybe the last month,
a few days.
And so that's always a red flag
for many security providers.
This is a very new domain.
We've never received emails from it before.
It's only about a week old.
That is a red flag.
In this particular case,
the attacker did something quite interesting.
they actually seem to have taken ownership of a domain that already existed.
And so they were able to benefit from both the security headers that had already been configured,
as well as the ownership of that domain and its history.
And so in a lot of ways, they were able to avoid classical traits of what would be considered fishing.
And at first we were like, maybe this is a false positive,
but the scale and the automated nature and the actual behavior we've,
saw of the payloads really is what pointed us towards. This is actually a full-scale campaign.
Well, let's dig into the scale and sophistication. That's really a noteworthy element here.
The research talks about over 1.6 million related emails that were sent elsewhere.
Yeah. So that number is really an interesting one. And the reason we noticed it is because
that number is an approximation. There's no guarantee of that number of emails. However,
Every single email, every PDF and every QR code was enumerated.
Every single one that was sent, especially the ones that were sent in immediate succession,
were incremented by one.
And so it was almost used in two ways.
One, that unique ID made it so that the hashes of both the PDF and the QR codes were unique.
And so you couldn't rely on traditional hash blocking or exclusion.
In addition to that, the actual malicious actor would have been using those IDs as a way to
both uniquely identify a user that they emailed to keep track or potentially use it as a way
to count the number of emails being sent. And so what's interesting here is in between the first
and second waves that occurred, it appeared that almost 1.6 million emails may have been sent or
at least PDFs and QR codes generated between those two waves. Well, speaking of waves,
what does the fact that they were going out in waves say about their recovery?
or their targeting strategy.
Yeah, so this one is really interesting.
The first wave actually included a series of managers,
and the second wave appeared to have included a series of their subordinates.
And so what was happening is this very fascinating trend of one,
the emails are getting through.
They're using what is publicly available potentially on things like LinkedIn
to understand hierarchy, maybe roles or groups.
And then on top of that, one of the most interesting parts is this almost creates
this false sense of history.
Now this domain is no longer new
while their superior has received
an email from this domain.
So this creates this really big
false sense of security.
We'll be right back.
Maybe that's an urgent message from your CEO,
or maybe it's a deep fake
trying to target your business.
Dopple is the AI native
social engineering defense platform
fighting back against impersonation
and manipulation. As a tax,
hackers use AI to make their tactics more sophisticated, Dopple uses it to fight back.
From automatically dismantling cross-channel attacks to building team resilience and more.
Dopple, outpacing what's next in social engineering.
Learn more at doppel.com.
That's do p-p-p-el.com.
Local news is in decline across Canada, and this is bad news for all of us.
With less local news, noise, rumors, and misinformation fill.
the void and it gets harder to separate truth from fiction.
That's why CBC News is putting more journalists in more places across Canada,
reporting on the ground from where you live,
telling the stories that matter to all of us,
because local news is big news.
Choose news, not noise.
CBC News.
Another detail that you point out is that the attackers seem to be learning from
auto-reply messages.
What kind of value does that sort of confirmation have to a threat actor?
Yeah, absolutely.
So sometimes sending emails can be like into the void, especially for a bad actor.
You know, we all joke about our emails at work.
You know, what is the format?
Is it your first last name, first initial, last name?
There's all these variations of what is classical in terms of email enumeration.
And so for an attacker to actually succeed and get an auto-repeachers,
that tells them two different things.
One is you've figured out what the format is that company uses for their email addresses,
and that's repeatable.
The second thing they figured out is this is a real user at this company that can receive
emails, and your email was successfully delivered to their inbox.
That second or this last piece that successfully delivered to their inbox,
now that is important because it means you are getting past whatever security they have in
place for their emails and it's even allowing an auto reply.
You talk about using AI as part of the triage process here.
And I suppose that has to do with the scale of what you were trying to analyze.
Yeah.
So it's actually a little unique.
So as I mentioned earlier, the 7 AI product, the one that we support, is entirely AI driven
in several ways.
You know, AI is leading the investigation, running queries against, you know, a customer's SIMS store products, their enrichment products, and is really trying to do a full-scale investigation to help support analysts in their workload and help triage and give analysts priority.
And in this particular case, what happened was twofold.
One was that the AI did the initial investigation and correctly flagged it as something that was quite suspicious.
And then we have this feature in our product called Threat Hunt that.
allows us to dive even deeper. And what we did is we basically told AI about what we were worried
about, told our existing agents what we were concerned about, and it was able to go forth and
run additional queries to do further identification of, you know, emails, users, click history,
anything that it could find related to these particular email addresses and PDF files. And so
this was really an interesting exercise in the scale in which security-driven AI can really help to detect these in a way that can be quite difficult for traditional SIMs, or SMEDR products, and go a step further as to allow for user interaction with your own consoles.
Do you suppose that there's still a misconception or are people underestimating the potential of Q.
QR code fishing. Oh, absolutely. I think that, you know, there are obviously going to be products out there. They're going to try to do the work of doing like a semantic or an image analysis of things like QR codes. But it takes a lot of effort to do that, to actually be able to check for the existence one of QR codes, but then also do the work to scan the image and understand what URL is encoded there. It's a multi-step process and most products aren't going to do that natively. And so it's really important to,
both teach your employees and your organization about the risks of QR codes as a whole,
even in public, outside of the email world, seeing a QR code on a post randomly in the wild
is probably not something you should be scanning unless you're pretty confident that it's a venue
to the restaurant you're at. So I think QR codes as a whole are quite dangerous because they feel
so plain. Yeah, I seem to always run into them when I'm pumping gas at the gas station.
There's a QR code on the gas pump, and I resist the temptation because who knows who stuck it there or stuck their own QR code over top of the legit one.
Yeah, and it's kind of this funny thing of like security as a practice is teaching people to be skeptical.
It becomes really difficult when even the most mundane things, the things that were used to being helpful are also inherently suspicious.
For the defenders in our audience, what are the biggest takehomes you think they should take away from this research?
Yeah, I think the very first one is doing that due diligence and tracking of either user reported fish.
I mean, the initial alert that we got was a user reported fish and tracking to see if that email is present in other places in their environment.
This type of campaign had the team actually realized that not only was it one user,
reporting this email, but that that email address had actually been sent much more widely.
That would have been a key red flag that they would have used to better understand the scale.
The other thing is at this point in time, education about QR codes.
I think that most products don't have the scale of support most people need related to QR codes,
and so it has to come down to education until the products can catch up.
In a lot of ways, QR codes still feel kind of how images,
may have felt or attached Excel files may have felt when fishing really first came out.
And now we just need the tech to really catch up.
And I think there are products out there that are supporting this, but probably not in a very
classical sense.
We didn't see it in this case with Defender, but there might be other products out there that
can support it.
All right.
Well, Julianna, I think I have everything I need for our story here.
Is there anything I missed, anything I haven't asked you that you think it's important to
share?
I think the only other thing that I would note is the IOC is related to this particular incident were made public.
We did publish them to allow for users to create their own detection rules.
This particular campaign seems to have been quite large in terms of both the delivery and the scale of the attack.
And so I do want to caution other users for this particular attack, considering the fact that I did get past class.
Microsoft defender, especially if you're using 0365 as your primary email security platform.
In addition to that, the only thing I would add is that the QR codes themselves were completely
embedded. And so taking a look at email files for embedded images is another important step
towards security.
Our thanks to Juliana Testa from 7A.I. for joining us. The research is titled Quish Splash,
when the QR code is the weapon, a multi-wave fishing campaign that slipped past every filter.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to,
cyberwire at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and
Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next time.