explainx.ainewsletter3.4k
detecting-qr-code-phishing-with-email-security

detecting-qr-code-phishing-with-email-security

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/detecting-qr-code-phishing-with-email-security
0 commentsdiscussion
summary

Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious URLs in QR code images within emails.

skill.md
name
detecting-qr-code-phishing-with-email-security
description
Detect and prevent QR code phishing (quishing) attacks that bypass traditional email security by embedding malicious URLs in QR code images within emails.
domain
cybersecurity
subdomain
phishing-defense
tags
- quishing - qr-code - phishing - email-security - image-analysis - ocr - mobile-security
version
'1.0'
author
mahipal
license
Apache-2.0
atlas_techniques
- AML.T0052 - AML.T0024 - AML.T0035
nist_ai_rmf
- MEASURE-2.8 - MAP-5.1
nist_csf
- PR.AT-01 - DE.CM-09 - RS.CO-02 - DE.AE-02

Detecting QR Code Phishing with Email Security

Overview

QR code phishing (quishing) is a rapidly growing attack vector where malicious URLs are embedded in QR code images within phishing emails. Quishing incidents grew fivefold from 46,000 to 250,000 between August and November 2025, with credential phishing comprising 89.3% of detected incidents. Traditional email security filters struggle because QR codes cannot be read by humans or standard URL scanners, and when scanned, users typically use personal mobile devices that lack corporate security controls. Attackers have evolved to use split QR codes (two separate images), nested QR codes, and ASCII text-based QR codes to evade detection.

When to Use

  • When investigating security incidents that require detecting qr code phishing with email security
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Email security gateway with image analysis capabilities
  • Understanding of QR code structure and encoding
  • Mobile device management (MDM) or mobile threat defense solution
  • Security awareness training program
  • SIEM platform for correlation and alerting

Key Concepts

Why Quishing Works

  1. Bypasses URL Scanners: Traditional gateways scan text-based URLs but cannot decode image-embedded URLs
  2. Shifts to Unprotected Devices: Corporate email arrives on secured systems but QR scan occurs on personal mobile devices
  3. User Trust: QR codes are normalized in daily life (payments, menus, parking)
  4. Low Detection Rate: Only 36% of quishing incidents are accurately identified by recipients

Evasion Techniques (2025)

  • Split QR Codes: QR code divided into two separate images that look benign individually (Gabagool PhaaS kit)
  • Nested QR Codes: QR code within a QR code, with first scan leading to intermediate page
  • ASCII QR Codes: QR rendered as text characters instead of images, bypassing image analysis (12% of attacks in Jan 2026)
  • Styled/Artistic QR Codes: Custom-designed QR codes with logos that evade pattern matching
  • PDF Attachment QR: QR code embedded in PDF attachment rather than email body

Detection Challenges

  • Pattern-based detection faces trade-off: aggressive tuning causes false positives, cautious tuning causes misses
  • Average similarity score of 0.209 between quishing and legitimate QR emails
  • QR codes in image attachments require OCR and deep image processing

Workflow

Step 1: Enable Image-Based Threat Detection

  • Configure email gateway to scan embedded images for QR codes
  • Enable OCR processing on image attachments (PNG, JPG, GIF, BMP)
  • Deploy multimodal AI that combines image processing, OCR, and NLP analysis
  • Configure PDF scanning to detect QR codes within attachments
  • Set up detection for ASCII/text-based QR code rendering

Step 2: Configure QR Code URL Analysis

  • Extract URLs from detected QR codes and submit to URL reputation services
  • Apply same URL scanning policies to QR-extracted URLs as text-based URLs
  • Enable real-time sandbox analysis for QR-decoded destination pages
  • Configure time-of-click protection for QR-extracted URLs where possible
  • Block known phishing domains extracted from QR codes

Step 3: Deploy Mobile-Side Protection

  • Implement mobile threat defense (MTD) with QR code scanning capability
  • Deploy Palo Alto ALFA or equivalent safe-by-design QR scanning
  • Configure MDM policies to warn users before opening scanned URLs
  • Enable corporate VPN/secure browser for QR-scanned destinations
  • Block known credential harvesting domains at the mobile proxy level

Step 4: Build Detection Rules

  • Alert on emails containing only an image and minimal text (common quishing pattern)
  • Flag emails with QR code images from external first-time senders
  • Detect urgency language combined with QR code presence
  • Alert on emails impersonating IT/security team requesting QR scan for MFA setup
  • Monitor for common quishing themes: MFA reset, document signing, voicemail notification

Step 5: Train Users on Quishing Recognition

  • Update security awareness program to include QR code phishing scenarios
  • Conduct quishing simulation campaigns using controlled QR codes
  • Teach users to verify QR destination URLs before entering credentials
  • Establish reporting process for suspicious QR code emails
  • Distribute guidance on safe QR scanning practices

Tools & Resources

  • Barracuda Multimodal AI: OCR + deep image processing for QR detection
  • Palo Alto ALFA: Safe-by-design QR code scanning assessment
  • Microsoft Defender for O365: QR code detection in email images
  • Proofpoint TAP: Image-based threat analysis with QR decoding
  • Lookout/Zimperium: Mobile threat defense with QR scanning

Validation

  • QR code phishing emails detected in controlled testing
  • Split QR code and ASCII QR code evasion techniques caught
  • QR-extracted URLs submitted to sandbox analysis
  • Mobile devices alert on malicious QR destinations
  • User reporting rate for quishing simulations exceeds 50%
  • False positive rate for QR detection below 1%
how to use detecting-qr-code-phishing-with-email-security

How to use detecting-qr-code-phishing-with-email-security on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add detecting-qr-code-phishing-with-email-security
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/detecting-qr-code-phishing-with-email-security

The skills CLI fetches detecting-qr-code-phishing-with-email-security from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/detecting-qr-code-phishing-with-email-security

Reload or restart Cursor to activate detecting-qr-code-phishing-with-email-security. Access the skill through slash commands (e.g., /detecting-qr-code-phishing-with-email-security) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Accelerate Code Development

Use skill to generate boilerplate code, refactor legacy code, and write tests faster

Example

Generate React component with TypeScript types, styled-components, and comprehensive test suite in minutes

Reduce development time by 40-60% for repetitive coding tasks

Code Review Automation

Systematically review code for bugs, security issues, and style violations

Example

Analyze pull requests for common anti-patterns, suggest performance improvements, flag security vulnerabilities

Catch 70%+ of code issues before human review, improve code quality

Debug Complex Issues

Trace errors through stack traces and identify root causes faster

Example

Analyze error logs, suggest probable causes, recommend fixes with code examples

Cut debugging time by 30-50%, especially for unfamiliar codebases

Learn New Technologies

Get explanations, examples, and best practices for unfamiliar frameworks

Example

Understand Next.js app router, learn Rust ownership, grasp Kubernetes concepts with practical examples

Accelerate learning curve by 2-3x, reduce onboarding time for new tech stacks

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill installation support
  • Basic understanding of programming concepts and version control (Git)
  • Code editor or IDE for testing generated code (VS Code, JetBrains, etc.)
  • Test environment separate from production for validating skill outputs

Time Estimate

15-30 minutes to install and see first useful output

Installation Steps

  1. 1.Install the skill using provided installation command
  2. 2.Verify skill is loaded in Claude Desktop (check ~/.claude/skills directory)
  3. 3.Test skill with simple prompt: 'Help me review this code snippet'
  4. 4.Gradually increase complexity: code generation → refactoring → architecture advice
  5. 5.Review all generated code before committing to repository
  6. 6.Iterate on prompts to improve output quality and relevance
  7. 7.Share effective prompts with team for consistency

Common Pitfalls

  • Blindly trusting generated code without testing—always run tests and manual review
  • Not providing enough context about your project structure and coding standards
  • Expecting perfection on first generation—iteration and refinement are normal
  • Sharing proprietary code or API keys in prompts—maintain confidentiality
  • Over-relying on skill for critical security or business logic code
  • Skipping documentation of why AI-generated code was chosen over alternatives

Best Practices

✓ Do

  • +Always review and test AI-generated code before merging
  • +Provide clear context: language, framework, coding standards, constraints
  • +Use for boilerplate, tests, docs—areas where mistakes are easily caught
  • +Iterate on prompts: start broad, refine with specific requirements
  • +Combine AI suggestions with human judgment and domain expertise
  • +Document successful prompt patterns for team reuse
  • +Keep version control so you can rollback if needed
  • +Use skill for learning and exploration, not production-critical features initially

✗ Don't

  • Don't commit AI code without thorough testing and review
  • Don't expose sensitive code, credentials, or proprietary algorithms
  • Don't use for security-critical code (auth, crypto, payments) without expert review
  • Don't skip peer review process just because AI generated it
  • Don't assume code follows your team's conventions—verify
  • Don't let junior developers skip learning fundamentals by relying solely on AI
  • Don't ignore compiler warnings or test failures in generated code

💡 Pro Tips

  • Describe desired patterns explicitly: 'Use async/await, avoid callbacks'
  • Ask for alternatives: 'Show 3 approaches to solve this, with tradeoffs'
  • Request explanations: 'Explain why this approach is better than X'
  • Use skill for 70% generation + 30% manual refinement for best results
  • Build a prompt library for common patterns (API endpoints, components, tests)
  • Pair program with AI: describe problem → review solution → iterate → refine

When to Use This

✓ Use When

Use coding skills for boilerplate generation, code reviews, refactoring legacy code, writing tests, learning new frameworks, and debugging non-critical issues. Best for repetitive tasks where errors are easy to catch.

✗ Avoid When

Avoid for production security features (auth, encryption, payment processing), complex business logic requiring deep domain knowledge, performance-critical algorithms, or when learning fundamentals is more valuable than speed.

Learning Path

  1. 1Start with simple tasks: generate functions, write tests, explain code
  2. 2Progress to code review: analyze PRs, suggest improvements
  3. 3Advanced: architectural decisions, refactoring strategies, performance optimization
  4. 4Expert: use for exploring new paradigms, researching best practices, mentoring juniors

Integration

  • VS Code
  • JetBrains IDEs
  • Cursor
  • GitHub Copilot
  • Git workflows

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.853 reviews
  • Xiao Okafor· Dec 24, 2024

    We added detecting-qr-code-phishing-with-email-security from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Noor Jain· Dec 12, 2024

    Useful defaults in detecting-qr-code-phishing-with-email-security — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Chen Shah· Dec 8, 2024

    Registry listing for detecting-qr-code-phishing-with-email-security matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Arjun Torres· Nov 27, 2024

    detecting-qr-code-phishing-with-email-security fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Arjun Iyer· Nov 15, 2024

    detecting-qr-code-phishing-with-email-security reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Noor Martinez· Nov 3, 2024

    detecting-qr-code-phishing-with-email-security is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Benjamin Ramirez· Oct 22, 2024

    Keeps context tight: detecting-qr-code-phishing-with-email-security is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Arjun Diallo· Oct 18, 2024

    We added detecting-qr-code-phishing-with-email-security from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Anika Flores· Oct 6, 2024

    Registry listing for detecting-qr-code-phishing-with-email-security matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Arya Bansal· Sep 25, 2024

    Useful defaults in detecting-qr-code-phishing-with-email-security — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

showing 1-10 of 53

1 / 6