# One Malicious QR Code Hidden in a Legitimate Booking Confirmation
A booking confirmation email arrived from a national golf-entertainment venue. The authentication was perfect: SPF, DKIM, and DMARC all passed through a well-known marketing platform. The content was convincing: personalized booking details, venue address, cancellation policy, and social media links. Buried in the message was one QR shortlink. That link was flagged malicious.
The email read like any standard booking confirmation. It included a personalized reservation (name, location, date, time, rental type), real waiver and booking-management links, and a recognizable brand layout. A recipient scanning the message for signs of fraud would have found none in the text or structure.
One element did not belong: qrco[.]de/bfcrKs, a QR shortlink embedded alongside otherwise-clean content. QR shortlinks and URL shorteners are common in legitimate marketing emails. That normalcy is exactly why they are useful to attackers. A shortlink obscures its final destination, and in a message with a dozen real, clean links, one malicious shortlink is easy to overlook.
The marketing infrastructure itself was legitimate. The bounce domain pointed to an authenticated marketing-service path. The sending IP (mta213a-ord[.]mtasv[.]net, 104[.]245[.]209[.]213) belongs to a well-known transactional email provider (ActiveCampaign). The email passed full DMARC p=reject enforcement.
DMARC p=reject is the strongest enforcement posture a domain can publish. This message passed it. That result tells the receiving mail stack one thing: the message was authorized by the domain owner's infrastructure. It says nothing about the content of every link inside the message.
Phishing via QR code succeeds specifically because it injects a malicious shortlink into an otherwise-legitimate message flow. If a marketing account is compromised, or if an attacker plants a malicious QR code template into an existing campaign, all of the authentication signals remain green. The brand's DKIM key is signing the message. The marketing provider's SPF record is covering the sending IP. Every trust signal that email authentication provides is intact, and none of them touch the shortlink payload.
See Your Risk: Calculate how many threats your SEG is missing
The incident data shows that qrco[.]de/bfcrKs was the only URL in the message to receive a malicious verdict from the link scanner. Other links in the message were either rated clean (the venue's own domain pages) or listed as not-scanned (the waiver provider link). The malicious verdict on a single element was sufficient to classify the entire message as phishing.
Themis (our Adaptive AI) evaluates each link independently and aggregates across the full message. A message is not cleared because nine of ten links are clean. One confirmed malicious element escalates the verdict for the whole delivery.
The sender was also flagged as high-risk and as a first-time sender to the recipient mailbox, which added corroborating weight to the malicious link signal before the scanner even returned its verdict.
The instinct to weigh "most links are clean" against "one link is malicious" is the wrong frame. A single confirmed-malicious URL is a binary indicator. Phishing campaigns embed one bad link in otherwise-clean content precisely because defenders sometimes average across signals rather than treating each element as independently actionable.
Concrete controls:
qrco[.]de shortlinks broadly if QR phishing activity is observed in your environment; shortlink services used in one campaign are frequently reused.See the MITRE ATT&CK technique references at https://attack.mitre.org/techniques/T1566/ and https://attack.mitre.org/techniques/T1204/.
| Type | Value | Notes |
|---|---|---|
| Malicious QR shortlink | qrco[.]de/bfcrKs | Scanner verdict: malicious |
| Sending infrastructure | mta213a-ord[.]mtasv[.]net | Legitimate marketing MTA (ActiveCampaign) |
| Sending IP | 104[.]245[.]209[.]213 | ActiveCampaign/mtasv.net range |
| Authentication | SPF/DKIM/DMARC p=reject: pass | Authenticated; does not clear content |
| Sender risk | HIGH (first-time sender) | Behavioral signal |
| Campaign type | Booking confirmation lure | Personalized transactional pretext |
| Attack | What happened |
|---|---|
| The B2B Content Marketing Email That Borrowed a Brand, a Relay Allow-List, and a Security Vendor's Own URL Wrapper | A polished B2B research report offer used SelectHub branding, passed through an allow-listed mail relay at SCL -1. |
| The Email That Passed Every Security Check (Because Adobe Sent It) | A phishing campaign targeting school district staff used Adobe's own sending infrastructure, real DKIM signatures. |
| The Phishing Infrastructure Was Canva. The Delivery Mechanism Was Canva. The Authentication Was Canva. | An attacker signed up for Canva, built a phishing lure as a design, and used the platform's own sharing feature to deliver it. |
| The Datadog Alert That Came From the Wrong Domain: Authenticated Brand Impersonation With All Links Pointing to Real Infrastructure | A fully authenticated Datadog monitor alert arrived from dtdg.co, not datadoghq.com. |
| When the Sender Domain Is Also the Phishing Kit Host: Dual-Purpose Domain Compromise | An attacker compromised a legitimate manufacturing company domain and used it two ways at once: as the authenticated sending address and as the host for... |