As if QR codes needed to get any weirder looking…
Threat actors, according to recent findings from cybersecurity company Barracuda Networks, are placing tricky QR-code variations into their phishing emails. The “nested” and “split” QR codes Barracuda shared in an August 20 blog post throw off email filters and link scanners, the company said.
“When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code,” Associate Threat Analyst Rohit Suresh Kanase wrote in Barracuda’s August report.
QR here. QR-code phishing (also known by the way-stranger-to-say term quishing) has been a popular tactic among attackers. Unlike links or hyperlinked text that people can hover over and inspect to spot a malicious URL, QR codes hide their destination.
A malicious link within the QR code could execute malware or send someone to a phony website to gain valid credentials. And if an employee uses their phone to click the QR, the action takes place beyond corporate and IT visibility.
The Anti-Phishing Working Group (APWG), observed 1,003,924 phishing attacks in Q1 2025, according to its recent report. “This was the largest number since late 2023,” the Q1 snapshot revealed. Professional services and manufacturing were the industries most often targeted by malicious QR codes, according to the APWG.
Split happens. Barracuda observed phishing-as-a-service (PhaaS) features embedding a “split” QR code: two separate QR objects placed next to each other. A recipient scanning the code still gets directed to the threat actor’s page. The malicious URL is encoded across both halves and is only visible when the two parts are reassembled and scanned by a phone, according to Merium Khalid, the director of SOC offensive security at Barracuda.
“Traditional detectors don’t combine or interpret partial QR images, and since no standalone URL exists in the email body or a single image, the scanners treat the content as safe,” Khalid wrote to us in a (malware-free) email.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Barracuda’s post also pointed to a similar “nested” technique. The company highlighted how another PhaaS group placed two codes on top of each other—with one pointing to a malicious URL and another leading to Google. “This technique can make it harder for scanners to detect the threat because the results are ambiguous,” Kanase wrote.
The tactic reminds Aaron Walton, senior threat intelligence analyst at Expel, of “polyglot” malware—code that has different behaviors and file formats, and evades antimalware technologies that rely on file-format identification. A polyglot file may display as an image in one application, and a malicious script in the next.
Walton sees a larger impact from this “quirky and clever” attack, because of its connection to PhaaS platforms. “Here it’s not just one cybercriminal doing it, but it’s one criminal enabling a lot more to do the same thing. So, when they do find a successful tactic that can bypass some controls, now they’re enabling a lot of their customers to bypass those controls as well,” Walton told IT Brew.
Shane Cox, director of cyber fusion center and incident response at MorganFranklin Cyber, recommends technical safeguards like QR scanning tools that decode and preview content before launch, as well as email gateways that expand shortened URLs and analyze multistage redirects for malicious behavior.
Mobile device management policies, he wrote in an email to IT Brew, “can enforce that QR codes open only in managed browsers with safe browsing enabled, while digitally signing official organizational codes can help prevent tampering with split codes in physical spaces.”
“As organizations and individuals increasingly interact with QR-driven systems, these tactics represent a growing surface for credential theft, ransomware delivery, and fraudulent financial transactions,” he added.