Barracuda: Split, Nested QR Codes Dodge Detection

Barracuda threat analysts have uncovered two innovative techniques—split and nested QR codes—being used by cyber attackers to help malicious QR codes evade detection in phishing attacks. The techniques, detailed in a new threat report, involve splitting a malicious QR code in two to confuse traditional scanning systems, or nesting the malicious QR code within or around a second, legitimate QR code.

Quishing is a form of phishing that involves the use of QR codes embedded with malicious links that, when scanned, redirect victims to fake websites designed to steal their credentials, or other sensitive information.

The analysts found the split and nesting techniques in attacks by leading phishing-as-a-service (PhaaS) kits Tycoon and Gabagool.

Split QR Codes

The Gabagool attackers were implementing split QR codes in a fake Microsoft ‘password reset’ scam. Their technique involves splitting the QR code into two separate images and embedding them close together in a phishing email. To the human eye it looks like a single QR code. However, when traditional email security solutions scan the message, they see two distinct and benign-looking images rather than one complete QR code. If the recipient scans the image, they are directed to a phishing website designed to steal credentials.

Nested QR Codes

The Tycoon PhaaS was found using the nesting technique to wrap a malicious QR code around a legitimate QR code. The toxic outer QR code pointed to a malicious URL, while the inner QR code leads to Google. This technique is likely designed to make it harder for scanners to detect the threat because the results are ambiguous.

“Malicious QR codes are popular with attackers because they look legitimate and can bypass traditional security measures such as email filters and link scanners,” said Saravan Mohankumar, Manager, Threat Analysis team at Barracuda. “Since recipients often have to switch to a mobile device to scan the code, it can take users out of the company security perimeter and away from protection. Attackers will keep trying new techniques to stay one step ahead of adapting security measures. It’s an area where integrated, AI-powered protection can really make a difference.”

Defending Against Evolving QR Codes

Alongside the essential basics of security awareness training, multifactor authentication, and robust spam and email filters, organisations should consider multi-layered email protection that integrates multimodal AI capability to detect rapidly evolving threats. Multimodal AI enhances detection by identifying, decoding, and inspecting the QR code without needing to extract the embedded content.

Read the full Barracuda blog on split and nested QR codes: https://blog.barracuda.com/2025/08/20/threat-spotlight-split-nested-qr-codes-quishing-attacks.