Researchers have discovered Gabagool PhaaS attackers implementing split QR codes in an attack that began as a standard fake Microsoft ‘password reset’ scam. The attackers’ use of highly tailored messages suggests they’d previously implemented a successful conversation hijacking attack against the target.
The details are here: https://blog.barracuda.com/2025/08/20/threat-spotlight-split-nested-qr-codes-quishing-attacks
The technique involves splitting the QR code into two separate images and embedding them in a phishing email. When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code.
Barracuda threat analysts recently found Gabagool attackers implementing split QR codes in an attack that began as a standard fake Microsoft ‘password reset’ scam. The attackers’ use of highly tailored messages suggests they’d previously implemented a successful conversation hijacking attack against the target.
Erich Kron, Security Awareness Advocate at KnowBe4, commented:
“The inclusion of tricky little QR codes in some of the phishing kits or phishing services is indicative of the advancement of attacks, even at the commodity level. What might have been expected from a nation state has now made its way into low cost pay-to-play cyber tools and services. QR codes provide a somewhat unique challenge as many individuals are not aware that they can be weaponized, and many mobile devices do not actually show you the URL it is taking you to, but rather simply ask if you want to open the link in the browser.
“It has always been more difficult to view some threats on mobile devices because the limited screen real estate means that things such as the URL bar in a browser may be hidden from view unless a person intentionally looks for it. In addition, mobile devices tend to connect through cellular services, or unsecured Wi-Fi networks like those in restaurants, airports, hotels, and other public places. This means many security tools that can help keep organization-owned computers safe on the corporate network, are not applied to mobile devices. When on the road, people are far more likely to browse the Internet without the use of a VPN on phones and tablets compared to when they use laptops, losing the security controls available through VPN monitoring.
“The attack itself is fairly common, sending a user to a website designed to look like a legitimate login portal. This is not a novel attack and is a part of many phishing kits or phishing services, but the delivery method of splitting QR codes into multiple images or embedding them within each other to bypass filters is clever and can make things difficult for email filters to spot. Once an attacker steals the credentials of cloud services such as Microsoft 365 or Google, it makes it very easy for them to access email accounts which contain sensitive information, or use those accounts to attack others. Attacks like this highlight the importance of having a comprehensive Human Risk Management (HRM) program in place within organizations. When people are aware of these types of fake login portals, it becomes very easy to spot the fakes, even if the emails are able to get past the technology. The use of MFA can mitigate some of the risk; however many types of MFA are vulnerable to being bypassed, making the inconvenience for attackers minimal.”
QR Code based attacks have been around for a while. But clearly they are evolving. Which means that you have to be more careful than ever to not be a victim of one.
Related
This entry was posted on August 21, 2025 at 3:18 pm and is filed under Commentary with tags Barracuda. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New ‘Quishing’ Attacks Split QR Codes to Highjack Conversations
Researchers have discovered Gabagool PhaaS attackers implementing split QR codes in an attack that began as a standard fake Microsoft ‘password reset’ scam. The attackers’ use of highly tailored messages suggests they’d previously implemented a successful conversation hijacking attack against the target.
The details are here: https://blog.barracuda.com/2025/08/20/threat-spotlight-split-nested-qr-codes-quishing-attacks
The technique involves splitting the QR code into two separate images and embedding them in a phishing email. When traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code.
Barracuda threat analysts recently found Gabagool attackers implementing split QR codes in an attack that began as a standard fake Microsoft ‘password reset’ scam. The attackers’ use of highly tailored messages suggests they’d previously implemented a successful conversation hijacking attack against the target.
Erich Kron, Security Awareness Advocate at KnowBe4, commented:
“The inclusion of tricky little QR codes in some of the phishing kits or phishing services is indicative of the advancement of attacks, even at the commodity level. What might have been expected from a nation state has now made its way into low cost pay-to-play cyber tools and services. QR codes provide a somewhat unique challenge as many individuals are not aware that they can be weaponized, and many mobile devices do not actually show you the URL it is taking you to, but rather simply ask if you want to open the link in the browser.
“It has always been more difficult to view some threats on mobile devices because the limited screen real estate means that things such as the URL bar in a browser may be hidden from view unless a person intentionally looks for it. In addition, mobile devices tend to connect through cellular services, or unsecured Wi-Fi networks like those in restaurants, airports, hotels, and other public places. This means many security tools that can help keep organization-owned computers safe on the corporate network, are not applied to mobile devices. When on the road, people are far more likely to browse the Internet without the use of a VPN on phones and tablets compared to when they use laptops, losing the security controls available through VPN monitoring.
“The attack itself is fairly common, sending a user to a website designed to look like a legitimate login portal. This is not a novel attack and is a part of many phishing kits or phishing services, but the delivery method of splitting QR codes into multiple images or embedding them within each other to bypass filters is clever and can make things difficult for email filters to spot. Once an attacker steals the credentials of cloud services such as Microsoft 365 or Google, it makes it very easy for them to access email accounts which contain sensitive information, or use those accounts to attack others. Attacks like this highlight the importance of having a comprehensive Human Risk Management (HRM) program in place within organizations. When people are aware of these types of fake login portals, it becomes very easy to spot the fakes, even if the emails are able to get past the technology. The use of MFA can mitigate some of the risk; however many types of MFA are vulnerable to being bypassed, making the inconvenience for attackers minimal.”
QR Code based attacks have been around for a while. But clearly they are evolving. Which means that you have to be more careful than ever to not be a victim of one.
Share this:
Like this:
Related
This entry was posted on August 21, 2025 at 3:18 pm and is filed under Commentary with tags Barracuda. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.