The Payroll Memo Whose Link You Could Not Scan: QR Code Quishing Buried in a Word Attachment
ID: f0431f00-9ca0-5d15-908a-dd453e76614f
STIX ID: report--f0431f00-9ca0-5d15-908a-dd453e76614f
Feed Name: IRONSCALES
An attacker sent a personalized payroll memo DOCX with an embedded PNG QR code that resolved to a credential-harvesting URL on an obscure TLD; because the link was an image inside the attachment and intended to be scanned on a personal phone, inline URL scanners and corporate web proxies never inspected it. Authentication (SPF/DKIM/DMARC) failed but the lure used the recipient's real name and email to build trust; the report includes defanged IoCs (domain, URL fragment pattern, originating IP, attachment filename and MD5) and recommends decoding QR images inside documents, adding behavioral/contextual detection, and user training.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
