logo

The Payroll Memo Whose Link You Could Not Scan: QR Code Quishing Buried in a Word Attachment

ID: f0431f00-9ca0-5d15-908a-dd453e76614f

STIX ID: report--f0431f00-9ca0-5d15-908a-dd453e76614f

Feed Name: IRONSCALES

Threat Score
70/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: [email protected] (Audian Paxson)

...
...

An attacker sent a personalized payroll memo DOCX with an embedded PNG QR code that resolved to a credential-harvesting URL on an obscure TLD; because the link was an image inside the attachment and intended to be scanned on a personal phone, inline URL scanners and corporate web proxies never inspected it. Authentication (SPF/DKIM/DMARC) failed but the lure used the recipient's real name and email to build trust; the report includes defanged IoCs (domain, URL fragment pattern, originating IP, attachment filename and MD5) and recommends decoding QR images inside documents, adding behavioral/contextual detection, and user training.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.