SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Smartphone scanning fragmented qr code with breaking digital locks security compromise
#
Firewalls
#
MDM
#
Phishing

Cyber criminals use split & nested QR codes to bypass security

Fri, 22nd Aug 2025
Author image
By Melania Watson, Interview Editor

Barracuda threat analysts have reported two new techniques cyber criminals are using to bypass security and steal sensitive information from users by exploiting QR codes in phishing attacks.

The research details the increasing use of so-called 'Quishing' attacks, where QR codes embedded with malicious links are sent to unsuspecting recipients.

When scanned, these QR codes redirect users to fraudulent websites designed to harvest credentials or other sensitive data.

Split and nested codes

According to Barracuda's findings, attackers have started using two distinct tactics to help their malicious QR codes evade detection by traditional security solutions. The first method involves splitting a malicious QR code into two separate images and placing them very close together within an email so that, while users see what appears to be a single legitimate code, automated scanners interpret them as unrelated, harmless images.

This split technique has been found in use by phishing operators associated with the Gabagool phishing-as-a-service kit. In one instance, Gabagool attackers were sending phishing emails purporting to be Microsoft password reset requests, using the split QR code tactic. If recipients scanned the images as one code, they would be directed to a fraudulent website intended to steal their credentials.

The second approach, called 'nesting', has been observed in activity tied to the Tycoon phishing-as-a-service kit. Here, attackers wrap a malicious QR code around a legitimate one. In documented examples, the legitimate inner code linked to Google, while the malicious outer code redirected the victim to a harmful site. Security scanners are challenged by this structure as the mixed signals from the two codes create ambiguity about the threat.

Challenges for traditional security

The appeal of malicious QR codes for attackers comes from their apparent legitimacy and their ability to bypass conventional digital security checks. Because scanning a QR code typically requires a mobile device rather than a protected corporate desktop environment, users may be taken outside their company's normal security perimeter. As a result, standard email filters and link scanners often fail to detect the threat.

"Malicious QR codes are popular with attackers because they look legitimate and can bypass traditional security measures such as email filters and link scanners," said Saravan Mohankumar, Manager, Threat Analysis team at Barracuda. "Since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection. Attackers will keep trying new techniques to stay one step ahead of adapting security measures. It's an area where integrated, AI-powered protection can really make a difference."

Trends in phishing-as-a-service

The split and nested QR code tactics were uncovered in attacks using the Tycoon and Gabagool phishing kits, which are commercial phishing platforms available to cyber criminals. These kits allow criminals to industrialise and distribute sophisticated phishing tools at scale, expanding the reach and diversity of attacks targeting both businesses and individuals.

Barracuda's report highlights that as these phishing services become more advanced, so do their methods for bypassing security.

The ongoing activity underscores the adaptability of threat actors and the need for continuous evolution in cyber defence measures.

Security recommendations

The analysts emphasise the importance of core cyber hygiene measures such as regular security awareness training, enabling multifactor authentication, and deploying robust email and spam filters to counter the latest wave of 'Quishing' attacks.

In addition, they recommend organisations consider more sophisticated, multi-layered email protection that applies multimodal artificial intelligence. This technology is able to identify, decode, and inspect QR codes in emails without first extracting their content, improving detection rates for new and emerging tactics.

Barracuda suggests that as attackers refine their approaches, cyber defences must also incorporate adaptable and intelligent systems that can detect and neutralise threats before users are exposed to risk.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
The cybersecurity imperative for smart factories
Fortinet unveils Secure AI Data Centre with 69% power saving
Exclusive: Google on AI-powered attacks & cyber threats in Australia
Hexaware boosts cybersecurity with strategic CyberSolve acquisition
Forrester predicts AI errors to cost B2B firms over USD $10 billion

Top stories

Alarm.com launches unified smart security platform in ASEAN markets
DroneShield secures AUD $7.6m US deals as orders & pipeline surge
Fortinet unveils Secure AI Data Centre to protect large models
Bitdefender unveils Security Data Lake to cut alert overload
Harnessing the power of ICT to propel your enterprise forward: Five key trends you need to be across in 2026