Attackers are generating QR codes with HTML tables instead of images to avoid email detection tools.
Security researchers at the SANS Internet Storm Center identified a phishing campaign that bypasses QR code detection by embedding QR codes directly into emails using HTML tables. Instead of attaching an image, attackers constructed the QR code pixel by pixel using a 35-by-35 table, allowing the message to evade scanners that only analyze image files. Cybernews reported that the activity occurred between December 22 and December 26, with emails prompting recipients to scan a code to review or sign a document.
Most email security tools detect QR threats by scanning image attachments or linked files. By rendering the QR code through basic HTML formatting, attackers avoided triggering those controls. Each square of the code was created using a table cell with a black or white background, producing a functional but slightly distorted QR image when viewed by recipients. The emails used minimal text and simple layouts, increasing delivery success. When scanned, the codes redirected users to credential harvesting pages designed to capture login information. Researchers noted that the approach relies on a mismatch between how humans and automated systems interpret email content.
SANS researchers explained that this technique exploits assumptions baked into security tooling, which often assume QR codes appear as images. They noted that while the tactic itself is not new, its use in active phishing campaigns shows how small format changes can bypass layered defenses. The team also says that attackers continue to adapt delivery methods faster than detection logic can be updated, particularly in email environments where HTML rendering is widely permitted.
According to GBhackers, recent QR-based phishing runs have deliberately reduced emails to just a few lines of text and a single QR code. Analysts observed that scanning the codes redirected victims to credential-harvesting pages hosted on attacker-controlled domains, with landing URLs tailored to each recipient. That level of customization makes reputation-based detection and incident scoping more difficult, especially when the QR code is rendered through HTML rather than an image file.
Defenders warned that QR lures should be treated as phishing indicators regardless of how they appear in an email. Security teams are being encouraged to look beyond image scanning and inspect unusual HTML structures, correlate QR-related language with sender behavior, and apply layered inspection that extracts and analyzes encoded destinations before messages reach users. The pattern reinforces a familiar challenge: attackers continue to exploit assumptions built into email security tools, and small formatting changes can be enough to bypass established defenses.
Many scanners are configured to analyze image files for embedded QR data, not HTML structures that visually resemble QR codes.
They often appear slightly compressed, but most users scanning quickly do not notice irregularities, especially on mobile screens.
The scan typically leads to a phishing site that requests login credentials or account verification details.
Yes. Researchers have reported steady growth as attackers look for ways to move victims away from monitored email environments.
They can restrict HTML rendering where possible, apply behavioral detection, educate users about scanning risks, and discourage scanning codes from unsolicited emails.