Quishing Attack

I've been watching the security space for years, and just when you think you've seen it all, the game changes.

The FBI dropped a bomb this week: North Korean state hackers (specifically the "Kimsuky" group) are eating enterprise security for breakfast. And they aren't using zero-days or complex exploits.

They're using QR codes.

The Blind Spot

We spend millions on email filters, sandboxes, and endpoint protection. If a malicious link hits your corporate inbox, your systems probably catch it.

But what happens when that link is inside a PNG?

Your expensive security stack looks at a QR code and sees... nothing. It's just pixels.

How They Get You

It's embarrassingly simple, and that's why it works.

The Hook: You get an email. Maybe it's a "policy update" or a "conference invite." It looks boring. It looks reliable.
The Bypass: There's no link to click. Just a QR code. "Scan to view document."
The Device Gap: You pull out your personal phone. You scan it. Now you're off the corporate network, on an unmanaged device, looking at a pixel-perfect replica of Microsoft 365 or Okta.
The Kill: You type your password. You maybe even enter your MFA code. Game over. They relay that session token instantly. They're in.

Who Are They Targeting?

Founders, listen up. They aren't just going after the Pentagon.

They are targeting:

Think Tanks & Academics: People with ideas, not big IT budgets.
Crypto & Web3: If you hold keys, you are a target.
Government Contractors: The backdoor into the big agencies.

Why I'm Worried

This isn't just about stolen passwords. It's about how fragile our "secure" world actually is.

We built fortresses around our laptops but left the back gate open for our phones.

We trust the square barcode because it's convenient. We scan menus, we scan parking apps, we scan flight tickets. We've been trained to trust the square.

What You Need To Do

Stop Scanning Random Codes: Treat a QR code like a random USB drive found in a parking lot.
Use FIDO2 / Passkeys: Phishable credentials (passwords + OTPs) are dead. If you aren't using hardware keys (YubiKey) or Passkeys, you are low-hanging fruit.
Wake Up: Your personal phone is now a corporate endpoint. Treat it like one.

The weakest link in your fancy security chain isn't your firewall. It's the camera in your pocket.

Don't be the reason your company gets wrecked.

How They Get You

It's embarrassingly simple, and that's why it works.

The Hook: You get an email. Maybe it's a "policy update" or a "conference invite." It looks boring. It looks reliable.

The Bypass: There's no link to click. Just a QR code. "Scan to view document."

The Device Gap: You pull out your personal phone. You scan it. Now you're off the corporate network, on an unmanaged device, looking at a pixel-perfect replica of Microsoft 365 or Okta.

The Kill: You type your password. You maybe even enter your MFA code. Game over. They relay that session token instantly. They're in.

Why I'm Worried

This isn't just about stolen passwords. It's about how fragile our "secure" world actually is.

We built fortresses around our laptops but left the back gate open for our phones.

We trust the square barcode because it's convenient. We scan menus, we scan parking apps, we scan flight tickets. We've been trained to trust the square.

What You Need To Do

Stop Scanning Random Codes: Treat a QR code like a random USB drive found in a parking lot.

Use FIDO2 / Passkeys: Phishable credentials (passwords + OTPs) are dead. If you aren't using hardware keys (YubiKey) or Passkeys, you are low-hanging fruit.

Wake Up: Your personal phone is now a corporate endpoint. Treat it like one.

The weakest link in your fancy security chain isn't your firewall. It's the camera in your pocket.

Don't be the reason your company gets wrecked.

The Square Trap: Why Security Teams Miss QR Phishing

The Blind Spot

How They Get You

Who Are They Targeting?

Why I'm Worried

What You Need To Do

The Square Trap: Why Security Teams Miss QR Phishing

The Blind Spot

How They Get You

Who Are They Targeting?

Why I'm Worried

What You Need To Do