The email that arrived at a general adjuster's inbox looked exactly like what it claimed to be: a continuation of a real property-insurance claim. The subject was specific to a real claimant in a New England town. The thread contained references to a regional mutual insurer, a claims-services vendor, a specific low-five-figure settlement amount, and back-and-forth with the claimant's family members. It requested that the recipient "review, sign, have notarized, scan and return" a form.
Among the links in that email was hxxps://qrco[.]de/bfrZXz, a QR shortener that scanned as malicious.
Everything else checked clean. SPF passed. DKIM passed (signed against the sender's own domain and the Microsoft tenant domain). DMARC passed. ARC passed. Compauth pass reason=100. The sending domain had been registered in 1997. The incident system flagged sender risk as HIGH, consistent with account takeover on an established account.
Standard phishing detection relies heavily on authentication failures as risk escalators. When SPF fails, when DKIM is absent, when DMARC enforces rejection, those signals elevate scrutiny and often catch campaigns that deploy lookalike domains or borrowed infrastructure.
Account takeover removes all of that. When an attacker gains access to a legitimate Microsoft 365 mailbox at an established insurance-adjusting firm, every outbound email inherits the account's full authentication standing. The DKIM signature is signed by the legitimate tenant. The SPF record designates Microsoft's outbound infrastructure as a permitted sender. DMARC evaluates against the real organizational domain and passes. There is nothing in the authentication stack to evaluate because the attacker is the account.
This maps to MITRE ATT&CK T1078 (valid accounts, used here for persistence and trusted sending), T1566.002 (spearphishing link, the QR shortener), and T1204 (user execution, requiring the recipient to scan the QR code with a mobile device). The FBI IC3 2024 Annual Report identifies business email compromise, which account takeover directly enables, as the highest-loss cybercrime category year over year, with losses exceeding $2.7 billion in 2024 alone.
See Your Risk: Calculate how many threats your SEG is missing
Quishing is effective precisely because it moves the payload off the email channel. A clickable hyperlink inside an email body can be extracted, analyzed, sandboxed, and detonated by email security tools. A QR code is an image. The URL it encodes is not present in the email as text. It exists only in the visual representation that a mobile device camera decodes.
The recipient of this email would have needed to open a phone camera, point it at the screen, and scan the code to reach the destination. That action happens entirely outside email security telemetry. Whatever credential-harvesting page qrco[.]de/bfrZXz resolved to at the time of scanning would have loaded on the phone's browser with no email gateway between it and the victim.
The CISA guidance on phishing recognition emphasizes scrutinizing unexpected links, but in the context of a long, legitimate-seeming thread with multiple known-clean links (insurer sites, vendor sites, Microsoft aka.ms redirects), one QR code shortener is easy to miss visually. That is structural camouflage, not social engineering sophistication. The Microsoft Digital Defense Report 2024 notes that account compromise via phishing and credential theft remains the dominant path to persistent access across enterprise environments.
The email thread itself was real. The claimant family names, the property address, the dollar amount, the references to specific insurers and claims vendors: all of this context existed before the attacker injected the malicious QR code into the thread. An attacker who has taken over a claims adjuster's mailbox has access to the full thread history. They can reply in-thread, preserving all prior context, and add a single new element.
A recipient engaged in an ongoing claim negotiation is cognitively prepared to receive and act on instructions within that thread. "Review, sign, have notarized, scan and return" is a completely normal instruction in claims processing. The QR code, framed as related to that instruction, inherits the thread's legitimacy. This is thread-context manipulation, and it requires no technical sophistication beyond initial account access.
The Verizon 2026 Data Breach Investigations Report finds the human element present in 62% of breaches. In this case, the human element is doubly compounded: the attacker exploited a human credential failure to gain account access, then exploited another human's trust in a familiar thread to deliver the QR payload.
The incident was initially detected by the Malware and URL Protection layer, which flagged qrco[.]de/bfrZXz as malicious. The system automatically reverted the email from the affected mailbox. The sender risk score for the established account was marked HIGH, consistent with account takeover behavioral patterns: an account with no prior adverse signals suddenly sending content containing flagged URLs.
IRONSCALES Adaptive AI and Themis, the agentic AI virtual SOC analyst, assess sender-risk signals as behavioral baselines rather than static reputation scores. An established domain with 29 years of history is not inherently low risk if its current sending behavior departs from its baseline. A QR code embedded in a claims-document thread, where QR codes have no established precedent, is anomalous regardless of the authentication result. That behavioral framing, rather than any authentication signal, is what elevated the risk classification.
The IRONSCALES QR code attack protection capability specifically addresses quishing by analyzing QR code content within email images, resolving the encoded URL, and scoring it independently of the surrounding email authentication. The IRONSCALES account takeover protection layer targets exactly the sender-risk anomaly that ATO creates: an established account exhibiting behavioral patterns inconsistent with its history. The IBM Cost of a Data Breach 2024 puts stolen credential incidents among the costliest breach types. An adjuster mailbox with access to active claim files, claimant personal information, and payment instruction threads is high-value infrastructure for follow-on fraud.
| Type | Indicator | Context |
|---|---|---|
| Malicious QR URL | hxxps://qrco[.]de/bfrZXz | QR shortener; flagged malicious; no screenshot captured |
| Compromised sender domain | compromised-firm[.]com | Established 1997 domain; fully authenticated M365 account; sender risk HIGH (ATO-consistent) |
The authentication stack was clean because the account was real. Detection came from behavioral signals: a sender-risk spike on an established account, and a malicious QR shortener inside a claims thread where QR codes do not belong.
| Attack | What happened |
|---|---|
| The QR Code That Knew Your Email Address Before You Scanned It | A phishing PDF embeds a QR code with the recipient's email pre-encoded in base64. |
| The Workplace Email That Passed Every Authentication Check and Hid Its Payload in a Shortened QR Link | A routine workplace email about saving uploaded items passed SPF, DKIM, DMARC, and composite authentication with a perfect score. |
| The Contract QR Code That Knew Your Email Address Before You Scanned It | A malicious PDF disguised as a contract agreement contained a QR code with the recipient's email pre-encoded in a base64 URL fragment. |
| Empty Email, Nested Impersonation, Embedded QR: Three Evasion Layers in a Single Delivery | An empty outer email forced recipients to open a nested RFC 822 attachment impersonating an internal accounting address. |
| Best of the Worst: Five Attacks That Already Knew Your Name | Five phishing attacks we published this week shared a single uncomfortable quality: precision. |