QR code phishing has become one of the most rapidly growing forms of phishing, especially since QR codes gained popularity during the global pandemic. Recently, INKY has observed a new evolution of this tactic, where QR codes are constructed using HTML tables and Unicode characters. We've noticed this technique emerging over the past few months and have implemented protections against it. Now, we’d like to share how it works and how we defend against it.
We’ve encountered this technique before, particularly when attackers impersonate the Microsoft brand. Look at the table below; it closely resembles the Microsoft logo. Creating a logo using a table that closely mimics the standard Microsoft logo at a glance is an effective way to bypass detection platforms that don’t scan rendered images—unlike INKY, which employs Computer Vision (CV) checks. While it looks like a table when scanned by a machine, our CV checks reveal it as a brand impersonation of Microsoft.
Now, apply this concept to a QR code. QR codes are simply groups of black squares arranged in a way that allows users to scan them with a camera to navigate to a link. But what if you created a table of squares, filled in with black or white backgrounds, or even used the Unicode character █, to mimic a QR code?
While this technique might seem time-consuming, filling in the squares can be automated with simple scripting and then deployed at scale. Look at the examples below. The first image is the QR code without the table's grid lines—it looks exactly like a typical QR code but is incredibly difficult to detect because it’s not a standard image format. The second example reveals the grid lines, exposing the underlying technique.
INKY can detect this new technique in the same way we detect brand impersonations of Microsoft using tables—by analyzing the rendered DOM to see what the user sees. Although the email contains <table> or <pre> tags instead of an image in HTML, our Computer Vision checks recognize that the user is seeing a QR code. INKY then scans the QR code and assesses whether it's dangerous. Even if it’s not classified as dangerous, INKY will still use the Email Assistant Banner to warn users with a message like “Beware of unexpected QR codes from unknown senders.” If the QR code is deemed dangerous, we’ll mark the email as malicious and send it to the admin quarantine based on your delivery settings.
To keep your clients safe from malicious QR codes, data breaches, ransomware, or any other type of phishing threat, you need to partner with an expert. INKY offers a complete AI-driven email security platform that is easy to deploy, simple to administer, and a profitable way to boost your own revenue.
If you’re not working with INKY yet but are intrigued, take a minute to schedule a free demonstration or become a partner today.
----------------------
INKY is an award-winning, behavioral email security platform that blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.