The quishing technique
In a quishing campaign, victims scanning the QR code are typically routed through attacker-controlled infrastructure that fingerprints their devices, collects user agent details, operating system, IP address, screen size, and local language.
Usually, victims are served a phishing page that impersonates Microsoft 365, Okta, VPN portals, or Google login pages, the ultimate goal being to steal access credentials or tokens.
“Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering the typical ‘MFA failed’ alerts,” the agency notes.
Because it forces the target to use their mobile devices to scan the QR code, threat actors manage to avoid traditional email security solutions and can distribute malicious emails from a compromised inbox.
The FBI describes these attacks as an “MFA-resilient identity intrusion vector” because they originate from unmanaged mobile devices outside standard Endpoint Detection and Response (EDR) and network monitoring.
To defend against these attacks, the FBI recommends targeted employee training, QR code source verification, implementation of mobile device management, and multi-factor authentication enforcement.
The agency recommends that targets of such attacks should report them immediately to their local FBI Cyber Squad or the IC3 portal.
The 2026 CISO Budget Benchmark
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.