06.01.2026
2 min
377
Cybersecurity researchers have identified a new phishing technique that allows attackers to bypass malicious QR code detection in emails. Instead of attaching images, threat actors generate QR codes directly in HTML using tables.
Researchers from the Internet Storm Center at the SANS Technology Institute discovered a phishing campaign where QR codes are rendered as HTML tables rather than image attachments. Each table cell represents a single QR code pixel, colored either black or white.
Between December 22 and December 26, a wave of phishing emails was observed containing minimal text and a QR code prompting recipients to “review and sign a document.” To users, the QR codes appear mostly normal, though slightly distorted in some cases.
Most modern email security solutions focus on scanning image attachments to detect QR codes. By embedding QR codes directly into HTML, attackers effectively bypass these controls, as no image file is present. While the technique itself is not new, its practical use in active phishing campaigns highlights how threat actors adapt to defensive assumptions.
This QR phishing method demonstrates that purely technical defenses are insufficient on their own. Attacks combining technical evasion with social engineering will remain effective unless users remain cautious when prompted to scan QR codes from unsolicited emails.
