I was intrigued by a recent article in The Register describing how threat actors are using QR codes in phishing campaigns (“quishing”) to redirect users to malicious sites and steal credentials.
This got me thinking about a project where we recently recommended QR code-based authentication for a frontline workforce where passwords were a major usability issue. These users were on site, not highly technical, and frequent password errors were creating operational noise.
While both scenarios involve QR codes, the security models are fundamentally different:
- Quishing attacks: Threat actors embed malicious QR codes in unsolicited emails or messages that redirect users to attacker-controlled credential-harvesting sites, often bypassing traditional email defenses.
- QR code authentication in Microsoft Entra: A controlled, pre-enrolled MFA method, tied to the user and tenant. It doesn’t redirect to login pages, doesn’t collect credentials, and is issued and verified by the authentication system itself — effectively acting as a token within a managed trust boundary.
The takeaway isn’t to avoid QR-based methods because of headlines, but to apply them with the right context and controls:
- Treat unsolicited QR codes in email or social channels as potential attack vectors.
- Educate users to scan only trusted, system-generated QR codes.
- Prefer managed authentication mechanisms where QR codes are server-generated and purpose-bound.
Security is nuanced — sometimes the same technology can be both a risk and a solution, depending on how it’s implemented.
QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies