ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • QR Phishing • Microsoft 365 Investigation

The QR Code Was Trusted

Nobody typed a password into the company laptop.

Nobody downloaded malware.

Nobody opened a suspicious attachment on the protected corporate device.

The user simply scanned a QR code.

The email looked routine. The message felt familiar. The Microsoft 365 login page on the phone looked close enough to trust.

But the QR code was not there to make life easier.

It was there to move the attack away from the endpoint, away from desktop security controls, and into a mobile sign-in flow where the user was more likely to trust what they saw.

This Agent Foskett briefing looks at QR phishing attacks, often called quishing, where attackers use QR codes to trigger credential harvesting, session theft, suspicious Microsoft 365 sign-ins and post-authentication activity that may not look like a traditional malware incident.

The laptop stayed clean.

The phone became the attack path.

Discuss QR phishing investigations Back to Investigation Hub
Agent Foskett investigates QR phishing and Microsoft 365 mobile sign-in attacks
Briefing summary

QR phishing attacks move users away from protected corporate devices and into trusted mobile authentication workflows. The page may look legitimate, the sign-in may succeed and the resulting session may appear valid — while the attacker gains access behind the scenes.

Review QR-code email campaigns
Investigate mobile browser sign-ins
Correlate session and mailbox activity
🚨 The QR code looked helpful. The destination was the trap.
QR phishing does not need to compromise the endpoint first. It can move the user into a mobile sign-in path where trust, speed and habit do the attacker's work.
Book a security review →

Why QR phishing works

QR phishing succeeds because it feels normal. Users are used to scanning QR codes for menus, payments, tickets, login pairing and document access. When the code appears inside a business email, the action can feel routine rather than risky.
The QR code looked usefulThe message may claim the user needs to review a document, verify a delivery, access payroll information or complete a Microsoft 365 action.
The phone felt trustedUsers often trust their phone more than the email itself, especially when the mobile browser shows something that looks like a familiar Microsoft sign-in page.
The desktop stayed quietThe corporate endpoint may not see the destination because the scan and authentication happen on a separate mobile device outside the normal desktop flow.

Why defenders miss it

Traditional phishing investigations often start with attachments, clicked links and endpoint detections. QR phishing changes the path. The suspicious action may not be a desktop click. It may be a phone scan followed by a mobile browser sign-in and a valid cloud session.
No obvious attachmentThe email may not contain malware. It may simply contain an image with a QR code designed to send the user somewhere else.
No desktop URL clickIf the user scans the code with a phone, the normal desktop click trail may be weak, incomplete or missing from the endpoint view.
The sign-in looked successfulOnce the user completes authentication, the cloud may record a valid session rather than an obvious blocked attack.

First hunt: suspicious mobile sign-ins

Start with sign-ins that involve mobile clients, browsers, unfamiliar IP addresses, unusual locations or unexpected applications. QR phishing often turns a suspicious email into a mobile authentication event.
qr-phishing-mobile-signins.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
SigninLogs
| where TimeGenerated > ago(7d)
| where ClientAppUsed has_any ("Mobile", "Browser")
| project TimeGenerated,
          UserPrincipalName,
          IPAddress,
          Location,
          AppDisplayName,
          ClientAppUsed,
          DeviceDetail,
          ConditionalAccessStatus,
          ResultType
| order by TimeGenerated desc
What to reviewLook for unexpected mobile browser sessions, unfamiliar IP addresses, odd locations, unusual applications and successful sign-ins near the time of the QR email.
Why it mattersThe scan itself may not show as a normal desktop click. The sign-in event may be the first strong cloud-side clue.
Best next pivotPivot into email delivery, URL activity, mailbox access, file downloads, inbox rules and any OAuth consent activity after the sign-in.

Second hunt: emails likely to contain QR lures

QR-code emails may use document, voicemail, payroll, invoice, delivery or Microsoft verification themes. This query gives investigators a practical starting point for reviewing message subjects and delivery patterns.
qr-themed-email-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(14d)
| where Subject has_any ("QR", "scan", "verify", "document", "voicemail", "invoice", "payroll")
| project Timestamp,
          RecipientEmailAddress,
          SenderFromAddress,
          SenderMailFromAddress,
          Subject,
          DeliveryAction,
          ThreatTypes
| order by Timestamp desc

Third hunt: what happened after the scan?

The most important question is not only whether the QR code was scanned. It is what happened after the user authenticated. Review mailbox access, file downloads, inbox rules, OAuth activity and any cloud behaviour that followed the suspicious sign-in.
activity-after-qr-scan.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
CloudAppEvents
| where Timestamp > ago(14d)
| where Application has_any ("Exchange", "Office 365", "Microsoft 365", "SharePoint", "Azure AD")
| where ActionType has_any ("MailItemsAccessed", "FileDownloaded", "New-InboxRule", "Consent to application")
| project Timestamp, AccountDisplayName, ActionType, Application, IPAddress, RawEventData
| order by Timestamp desc

Common signs of QR phishing

Not every QR code is malicious. But when a QR-themed email is followed by an unfamiliar mobile sign-in and unusual cloud activity, the pattern deserves attention.
QR code inside the messageThe email may include a QR image instead of a normal hyperlink, making it harder for users to inspect the final destination.
Mobile-first authenticationThe suspicious sign-in may come from a mobile browser or unfamiliar device context rather than the user's managed workstation.
Valid session afterwardsThe attack may not end at credential entry. It may create a session that allows mailbox access, file downloads or further cloud activity.

Where defenders get caught

QR phishing is dangerous because the most suspicious part may happen outside the place defenders are looking. The email is on the desktop, the scan is on the phone, the sign-in is in the cloud and the damage may occur after authentication.
They trust the clean endpointA clean laptop does not prove the account is safe when the user completed the attack flow on a phone.
They look only for clicksURL click telemetry matters, but QR phishing may leave a different trail because the click happens after a camera scan.
They stop at sign-in successA successful sign-in is not the end of the investigation. It is the beginning of the post-authentication review.

How GEMXIT approaches this type of investigation

At GEMXIT, we treat QR phishing as a cross-device identity investigation. The email, mobile sign-in, session activity and cloud application behaviour all need to be reviewed together.
We connect email and identityWe review the email lure, sender alignment, delivery action, recipient targeting and sign-in behaviour that followed.
We review post-authentication activityMailbox access, inbox rules, file downloads, SharePoint access and OAuth consent can reveal what the attacker did after the scan.
We strengthen practical controlsResponse may include Conditional Access tuning, phishing-resistant MFA, session revocation, user awareness and stronger monitoring around mobile sign-ins.
The QR code was trusted. The session still needed investigating.
GEMXIT helps organisations investigate QR phishing, suspicious Microsoft 365 sign-ins, Defender XDR telemetry, Sentinel visibility and practical KQL hunting workflows.
Contact GEMXIT

Final thought

The laptop never showed malware.

The user never noticed anything suspicious.

The QR code simply moved the attack somewhere defenders were not watching closely enough.

The real question became:

“Did the phone just approve the attacker?”
At GEMXITWe help organisations investigate Microsoft 365, QR phishing, suspicious sign-ins, Defender XDR, Sentinel visibility and real-world security operations workflows.
Agent Foskett mindsetThe question is not only: “Was the endpoint clean?”

It is: “Where did the user complete the attack?”

Continue the investigation with The MFA Prompt Looked Normal, The User Passed MFA But It Wasn't Really Them, The Session Token Never Expired, The Login Came Through A Trusted Device, The User Clicked Accept And Gave Away The Entire Mailbox, EmailEvents KQL Guide, Microsoft Defender KQL Threat Hunting Guide, Microsoft Security and the GEMXIT Security Review.

Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

The QR Code Was Trusted

This Agent Foskett briefing explains how QR phishing and quishing attacks can move users away from protected corporate devices and into mobile authentication workflows that may result in suspicious Microsoft 365 sign-ins.

QR Phishing Microsoft 365 Investigation

GEMXIT helps organisations investigate QR phishing emails, suspicious mobile browser sign-ins, Microsoft Entra ID activity, Defender XDR telemetry, mailbox access, file downloads, inbox rules and post-authentication cloud activity.

Quishing, Mobile Sign-ins and Suspicious Sessions

QR phishing attacks may not create a traditional endpoint malware alert. Investigators should review the original email, the mobile authentication event, Conditional Access results, session behaviour and activity after the sign-in.