QR code phishing has become the fastest-growing email attack technique in Q1 2026, according to Microsoft’s latest threat intelligence findings. From its latest threat intelligence report, Microsoft found that attackers are increasingly leveraging QR codes in phishing emails to bypass traditional security filters and redirect users to malicious websites.
The company recorded around 8.3 billion email-based phishing attempts, noting a sharp rise in QR code–based (“quishing”) attacks over the reporting period. These QR codes are often embedded within PDFs or directly placed in emails, making them harder for conventional detection systems to flag.
Microsoft says the tactic is particularly effective because users scanning QR codes often on mobile devices, may inadvertently bypass enterprise security controls. Overall, the report highlights QR code phishing as a fast-evolving technique used to evade detection and steal user credentials at scale.
Hackers are using a new QR code phishing scam that can target both individuals and entire organisations. Microsoft researchers warn that these attacks are rising quickly, with fraudsters using fake emails, PDFs, and CAPTCHA pages to steal login details.
According to Microsoft Defender Research, over 35,000 users across 13,000 organisations in 26 countries have already been targeted, mainly in the United States, though the scam can spread globally, including India.
Do not scan QR codes in emails unless you are sure of the sender
Be cautious of emails creating urgency, fear, or pressure
Always verify requests directly with the organisation or sender
Avoid logging in through links or QR codes in unsolicited messages
Use phishing-resistant MFA and updated security tools where possible
Report suspicious emails to your IT or security team immediately
Researchers warn that attackers use adversary-in-the-middle (AiTM) techniques to steal login sessions and authentication tokens in real time, which can bypass even multi-factor authentication (MFA). Microsoft notes that these scams are becoming harder to detect as criminals combine social engineering with convincing fake websites. Traditional spam filters may also fail because the emails often look authentic.