This week, we are joined by Juliana Testa, Senior Security Engineer from 7AI, sharing their work on "Quish Splash - When the QR Code Is the Weapon: A Multi-Wave Phishing Campaign That Slipped Past Every Filter." A large-scale “quishing” campaign used QR codes embedded in image attachments to hide phishing URLs, allowing 28 out of 33 emails to bypass SPF, DKIM, DMARC, and Microsoft Defender and land directly in inboxes. Each recipient received a unique QR code and tracking ID, defeating traditional detection methods and enabling attackers to scale the campaign to over 1.6 million emails across multiple organizations while shifting execution to less-secure mobile devices. The attack was ultimately uncovered through AI-driven alerting combined with human analysis and threat hunting, highlighting a major blind spot in email security and the need for QR code inspection, mobile protections, and tighter auto-reply controls. The research and executive brief can be found here: Quish Splash - When the QR Code Is the Weapon: A Multi-Wave Phishing Campaign That Slipped Past Every Filter. Learn more about your ad choices. Visit megaphone.fm/adchoices
Podzilla Summary coming soon
Sign up to get notified when the full AI-powered summary is ready.
Free forever for up to 3 podcasts. No credit card required.
Listen to This Episode
Get summaries like this every morning.
Free AI-powered recaps of Research Saturday and your other favorite podcasts, delivered to your inbox.
Free forever for up to 3 podcasts. No credit card required.