QR Code Phishing ("Quishing"): The Mobile Threat Vector Exploiting Human Trust and MFA Bypass

Executive Summary: QR code phishing—often dubbed "quishing"—has surged as a primary mobile threat vector in 2025, enabling adversaries to bypass multi-factor authentication (MFA) defenses through Adversary-in-the-Middle (AiTM) techniques. Unlike traditional phishing, quishing exploits the inherent trust in QR codes, directing users to malicious landing pages that harvest session tokens and credentials. This article examines the mechanics of AiTM-driven quishing, its integration with emerging phishing-as-a-service (PhaaS) ecosystems, and the technical mechanisms enabling MFA circumvention. With over a million PhaaS attacks observed in early 2025, quishing represents a rapidly evolving attack surface that demands immediate mitigation strategies.

Key Findings

• Quishing leverages QR codes to deliver AiTM phishing lures, exploiting user familiarity and instant accessibility on mobile devices.
• AiTM attacks bypass MFA by intercepting authentication tokens via malicious proxy servers positioned between the user and legitimate services.
• Phishing-as-a-service platforms now include quishing modules, enabling low-skill adversaries to launch sophisticated campaigns at scale.
• Mobile environments are particularly vulnerable due to QR code auto-open behaviors and limited visibility in browser-based security indicators.
• Session cookie theft and token replay allow persistent account takeover even after password resets.

Understanding QR Code Phishing (Quishing)

QR code phishing, or "quishing," is a social engineering tactic where attackers embed malicious URLs or payloads within QR codes. When scanned using a mobile device, these codes redirect users to counterfeit login portals or malicious websites. Unlike traditional phishing emails, quishing bypasses text-based spam filters and leverages the visual immediacy of QR codes—often presented in physical spaces such as parking lots, office lobbies, or event signage.

In 2025, quishing has evolved into a high-efficacy vector due to the ubiquitous use of QR codes in consumer and enterprise workflows. The attack surface is amplified on mobile platforms, where QR scanning is natively supported and often auto-triggers browser navigation without user confirmation.

Adversary-in-the-Middle (AiTM) Phishing: The Engine Behind Quishing Success

AiTM phishing is a sophisticated technique wherein attackers position themselves between the user and the intended service (e.g., Microsoft 365, Google Workspace). By hosting a malicious proxy server, adversaries intercept HTTPS traffic, capture login credentials, and harvest session cookies—critical artifacts that bypass MFA when replayed in authenticated sessions.

The integration of AiTM with quishing is particularly effective because:

• QR codes can be printed or displayed quickly, enabling attackers to deploy malicious infrastructure with minimal traceability.
• Victims are redirected to lookalike login pages that closely mimic legitimate domains, increasing the likelihood of credential submission.
• Once session cookies are stolen, attackers can maintain persistent access without triggering MFA prompts, even if the user resets their password.

This mechanism directly undermines organizations' MFA investments, as shown in recent campaigns where AiTM phishing led to high-profile breaches despite strong authentication policies.

Phishing-as-a-Service (PhaaS) and the Democratization of Quishing

Phishing-as-a-service platforms have evolved into full-spectrum cybercrime ecosystems, offering modular toolkits that include quishing templates, QR code generators, and AiTM proxy infrastructure. According to threat intelligence from March 2025, over one million PhaaS attacks were launched globally in the first two months of the year—a 300% increase over the same period in 2024.

These platforms provide:

• Ready-to-deploy landing pages mimicking Microsoft, Google, and enterprise SSO portals.
• QR code generation tools with dynamic URL shorteners to obfuscate malicious domains.
• Automated token harvesting and session replay capabilities for seamless account takeover.
• Affiliate models that allow low-skilled actors to monetize compromised accounts.

The commoditization of quishing has lowered the barrier to entry, enabling rapid scaling of attacks and increasing the diversity of targets across sectors.

Mobile Threat Vector: Why QR Codes Are Ideal for Attackers

Mobile devices are the primary attack surface for quishing due to several inherent weaknesses:

• QR Code Auto-Opening: Many mobile operating systems automatically open URLs embedded in QR codes, often in the default browser without user confirmation.
• Limited Screen Real Estate: Mobile browsers truncate URLs and obscure security indicators, making it difficult to detect spoofed domains (e.g., "login-secure[.]com" vs. "login.microsoft.com").
• Trust Bias: Users associate QR codes with legitimate services (e.g., contactless payments, event tickets), reducing suspicion toward unexpected prompts.
• Background Processing: Some mobile apps silently process QR codes in the background, enabling silent redirections or malicious payload execution.

These factors combine to create a low-friction path for credential harvesting and session hijacking, particularly in Bring-Your-Own-Device (BYOD) environments.

Technical Workflow of a Quishing AiTM Attack

A typical quishing AiTM attack unfolds in five stages:

1. Lure Deployment: Attackers print malicious QR codes on stickers, posters, or digital displays in high-traffic areas (e.g., near office entrances or public Wi-Fi hotspots).
2. Victim Scanning: Users scan the code with their mobile device, triggering an automatic redirect to a malicious landing page hosted on a phishing domain (e.g., "live-session[.]com").
3. Proxy Interception: The landing page serves a reverse proxy that sits between the user and the legitimate service (e.g., Microsoft 365 login portal).
4. Credential & Token Theft: As the user enters their credentials and MFA token, the proxy captures the session cookie and token in transit.
5. Account Takeover: The attacker imports the stolen session cookie into their browser, bypassing MFA and gaining full access to the user's account.

This workflow demonstrates how quishing bypasses both traditional phishing defenses and MFA controls, enabling persistent, undetected access.

Recommendations for Organizations and Users

To mitigate the rising threat of quishing and AiTM phishing, organizations and individuals must adopt a defense-in-depth strategy:

For Organizations

• Implement QR Code Restrictions: Disable auto-open functionality for QR codes in corporate mobile device policies. Require manual confirmation before URL execution.
• Deploy Advanced Email & Web Security: Use AI-powered email security solutions that analyze QR code payloads and block malicious redirects. Integrate real-time URL reputation services.
• Monitor for AiTM Traffic: Deploy network-level behavioral analytics to detect anomalous authentication flows (e.g., session tokens originating from unexpected geographic regions or devices).
• Enforce Conditional Access Policies: Require step-up authentication for high-risk logins, especially from mobile devices or after unusual geographic jumps.
• Educate Users on Quishing: Conduct simulated phishing drills that include QR code lures. Emphasize skepticism toward unsolicited QR codes in physical and digital environments.
• Adopt Zero Trust Architecture: Assume breach conditions. Validate every access request, regardless of device or network origin, and implement continuous authentication mechanisms.

For End Users

• Inspect QR Codes Before Scanning: Use a trusted QR scanner app that displays the full URL before opening. Avoid scanning codes from unknown sources.
• Enable Browser Security Features: Use mobile browsers with URL preview and anti-phishing protections (e.g., Chrome's Safe Browsing, Firefox's Enhanced Tracking Protection).
• Log Out After Use: Always sign out of accounts