Security researchers at Barracuda Networks have discovered two novel QR code phishing (quishing) techniques involving splitting malicious QR codes into two parts or embedding them into legitimate ones.

They detailed their findings in a new report, Threat Spotlight: Split and nested QR codes fuel new generation of ‘Quishing’ attacks, published on August 20.

QR Code Splitting Explained

The Barracuda researchers observed that operators of Gabagool, a phishing-as-a-service (PhaaS) kit, have recently started using a new technique to help malicious QR codes evade detection.

The technique involves splitting a QR code into two separate images and embedding them in a phishing email. When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code.

To the recipient of the email, the QR code in the message looks complete and can be scanned to direct the user to a phishing page designed to steal their Microsoft login credentials. However, when looking at the visual in HTML, it comprises two different images.