StrongestLayer Research Finds QR Code Phishing Is Evading Email Security

5x growth in successful "quishing" despite universal detection investment reveals an architectural blind spot that legacy email security cannot fix

SAN FRANCISCO, Feb. 11, 2026 /PRNewswire/ -- StrongestLayer today released a new threat intelligence report, From Nation-States to Amateur Hackers: Why QR Code Phishing Evades Email Security, analyzing approximately 200 advanced QR code phishing attacks that successfully bypassed Microsoft Defender E3/E5 and leading secure email gateways before being detected by StrongestLayer. The findings show that quishing is not growing because vendors failed to act — but because the attack exploits structural gaps that traditional detection architectures were never built to address.

Between August and November 2025, successful QR code phishing incidents grew fivefold — from 46,000 to 250,000 — according to Kaspersky Labs, even as every major vendor deployed new QR detection capabilities. In January 2026, the FBI warned that North Korean state-sponsored actors (Kimsuky / APT43) were actively using quishing against U.S. think tanks, academic institutions, and government entities, describing it as an "MFA-resilient identity intrusion vector."

"The industry spent billions to scan QR codes — and attackers still won," said Alan LeFort, CEO and co-founder, StrongestLayer. "This isn't a tuning problem. It's an architectural one. When an attack succeeds outside the security perimeter and is built to defeat pattern-matching mathematically, no amount of better signatures or more image scanning will solve it."

Key findings from the report include:

• Successful QR phishing incidents grew 5x in three months despite universal vendor investment
• 100% of analyzed attacks exploited the mobile scanning gap, executing credential theft outside all corporate security controls
• 68% of attacks used trusted infrastructure (AWS, Cloudflare, Google Cloud, Azure) in multi-stage redirect chains
• The average QR campaign showed 0.209 Jaccard similarity — far below the 0.30 threshold where pattern-matching breaks

Why detection architectures are failing

Modern quishing exploits a gap no vendor can eliminate: the malicious email arrives in a protected inbox, but the QR code executes on an unmanaged personal smartphone, loading credential harvesting pages in a personal browser outside all corporate controls. Every major vendor acknowledges this limitation in their own documentation.

Rather than linking directly to phishing pages, attackers chain trusted services — stacking 2–3 redirect techniques through AWS S3, Cloudflare Workers, and fake CAPTCHAs — making it nearly impossible for secure email gateways to reliably reach the final malicious destination. Meanwhile, 67% of malicious domains were registered within 30 days of use, with attackers typically launching only 2–3 attacks per unique domain before rotating. By the time one domain is blocklisted, dozens more are already in play.

Traditional phishing campaigns share 85–95% similarity, making signatures effective. QR phishing is fundamentally different. At 0.209 average similarity — and just 0.134 for targeted campaigns — pattern-based detection faces an unresolvable trade-off: tune aggressively and trigger catastrophic false positives, or tune cautiously and accept catastrophic miss rates. Mimecast's own guidance recommends a 90% detection threshold for QR analysis, effectively accepting a 10% miss rate, because higher sensitivity overwhelms analysts with false positives.

Emerging evasion techniques

The report documents attackers adapting faster than defenses. Twelve percent of January 2026 attacks used ASCII text-based QR codes rendered as text characters, bypassing image analysis entirely. Attackers are also weaponizing security language, mimicking OAuth and MFA terminology to lower user suspicion. StrongestLayer warns that as tools enabling OAuth device-flow abuse become mainstream, they will create attacks that destination-URL analysis cannot detect.

About StrongestLayer

Founded in 2024, StrongestLayer is pioneering LLM-native cybersecurity solutions designed for the AI era. The company's platform combines advanced threat detection with personalized human risk training to protect organizations against both traditional and AI-powered email attacks. Headquartered in San Francisco, StrongestLayer is backed by Sorenson Capital, Recall Capital, and leading cybersecurity industry veterans. Learn more at www.strongestlayer.com.

View original content:https://www.prnewswire.com/news-releases/strongestlayer-research-finds-qr-code-phishing-is-evading-email-security-302685231.html

SOURCE StrongestLayer