"The emails themselves don't look especially sinister - a phony event invite here, a request for comment on a policy paper there - but scan the QR code and you're dumped into an attacker-controlled portal. From there, stolen logins are used to stay within the network and, in some cases, fire off more phishing emails from the victim's own account."
"Quishing is especially dangerous because it can bypass the security tools that defenders rely on. Tools like URL rewriting, sandbox analysis, and email filtering can't inspect a graphic QR code, and once the victim has scanned it on an unmanaged device, security teams may not notice until it is too late. The Feds are urging organizations to stop letting employees scan mystery QR codes and stop pretending phones don't count as endpoints by adding controls that can inspect QR links before users scan them."
Kimsuky operatives embed malicious URLs inside QR codes delivered in targeted spear-phishing emails, a technique called quishing. When scanned on phones outside enterprise visibility, victims are redirected to attacker-run portals where credentials and session tokens are stolen and later reused to bypass multi-factor authentication. Campaigns in 2025 targeted thinktanks, academic institutions, and US and foreign government organizations connected to North Korea policy. Stolen logins enable persistent access and allow attackers to send further phishing from compromised accounts. Quishing bypasses URL rewriting, sandbox analysis, and email filters because graphic QR codes cannot be inspected. Organizations are urged to block unknown QR codes and treat phones as managed endpoints with QR-inspection controls.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]