Attackers have been disguising phishing QR codes as split or nested images, targeting mobile device users to bypass desktop protection software.
Cybercriminals are continuously adapting their tactics, with QR code phishing — now known as “quishing” — growing more sophisticated in recent attacks targeting the digital perimeter of organizations.
The latest techniques, disclosed by one cybersecurity firm in August 2025, involve split- and nested- QR codes, which are designed to evade conventional security measures that typically scan emails and links for suspicious content.
Example of a nested malicious QR code — Source: Barracuda
The latest techniques, disclosed by one cybersecurity firm in August 2025, involve split- and nested- QR codes, which are designed to evade conventional security measures that typically scan emails and links for suspicious content.
Split QR codes are the newest innovation, where attackers divide a malicious QR code into two separate image files before embedding them in phishing emails. To traditional email security solutions, these images appear harmless and unrelated, avoiding detection by scanning systems that would usually identify a complete QR code. Once pieced together by recipients, either visually or via mobile devices, the now whole QR code redirects victims to impostor websites, often masquerading as legitimate services. Here, users are tricked into surrendering their credentials or other confidential information.
Next, nested QR codes present another formidable challenge. Here, a malicious QR code is wrapped within or placed next to a legitimate, benign QR code in the same image. The outer code could point to a fraudulent domain, while the inner code could lead to a genuine website — resulting in ambiguous outcomes for QR scanners. This layered approach complicates automated analysis by producing misleading results, helping attackers slip past increasingly sophisticated detection algorithms.
According to Saravan Mohankumar, Manager, Threat Analysis , Barracuda, the firm reporting this new variant of the cyber threat: “Since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection. Attackers will keep trying new techniques to stay one step ahead of adapting security measures.”
To counter these evolving threats, advanced email protection tools are incorporating AI-driven image analysis, decoding QR content, and sandboxing suspicious links for real-time monitoring and analysis. These systems also leverage machine learning to examine the structure and pixel patterns of QR codes, identifying risky designs without needing to read the underlying data.
