Quish Splash QR Code Phishing Campaign Hits 1.6 Million Users

QR codes have become a convenient bridge between physical and digital worlds, but their ease of use also makes them a prime weapon for cybercriminals. The Quish Splash campaign illustrates a sophisticated evolution: attackers packaged malicious URLs within BMP image attachments that contain QR codes, a format most email scanners ignore because they focus on textual content. By leveraging a well‑configured domain and passing SPF, DKIM, and DMARC checks, the phishing emails appeared legitimate, allowing them to infiltrate even the most hardened inboxes.

Beyond basic evasion, the threat actors employed several advanced tricks to stay ahead of defenses. Each recipient received a uniquely generated QR‑code image, thwarting hash‑based blocking that relies on identical file signatures. The campaign also used auto‑reply mechanisms to confirm active addresses, and the three‑wave timing—small test, large burst, and follow‑up—helped mask the massive volume of parallel attacks. These tactics demonstrate a shift from generic phishing links to highly tailored, image‑based payloads that can bypass conventional security layers.

For security teams, the Quish Splash incident underscores the urgent need to expand detection beyond text analysis. Deploying image‑inspection engines, enforcing strict mobile device management, and educating users about the risks of scanning unsolicited QR codes are critical steps. As attackers continue to blend social engineering with novel delivery methods, organizations must adopt a multi‑layered approach that includes behavioral analytics and real‑time threat intelligence to mitigate this emerging class of QR‑code phishing.