In the world of cybersecurity, the battle is a constant game of cat and mouse. As defenses evolve, so do the methods of attack. We’re sitting down with Dominic Jainy, an IT professional with deep expertise in the technologies shaping our future, to discuss a startlingly effective new tactic highlighted in a recent FBI alert: “quishing.” He’ll break down how North Korean threat actors are weaponizing simple QR codes to bypass sophisticated security, compromise high-value targets, and render traditional defenses obsolete. We’ll explore the anatomy of these attacks, from the initial email lure to the hijacking of secure cloud identities, and discuss the critical blend of technology and human awareness required to fight back.
We’re hearing a lot about ‘quishing,’ where attackers use QR codes in emails. From a technical standpoint, why is this method so effective at getting past the sophisticated security tools most organizations have in place?
It’s a clever trick, really, because it fundamentally shifts the battlefield. Corporate email security is built to inspect URLs and detonate suspicious links in a safe “sandbox” environment. But a QR code isn’t a link; it’s an image. Most security scanners see a harmless JPEG or PNG file and let it through. The attack only truly begins when the user pulls out their personal mobile phone to scan the code. This action moves the threat off the protected corporate network and onto a device that often lacks the same level of enterprise-grade security, completely bypassing the URL rewriting and sandboxing that would have caught a normal phishing link.
These aren’t just random attacks; they seem highly targeted at organizations like think tanks and government entities. Can you walk us through what a typical campaign from an actor like Kimsuky looks like, from the moment the target receives the email?
These campaigns are pure social engineering, executed with precision. An attack might start with an email sent to a senior fellow at a think tank, appearing to come from a real embassy employee. The email will create a pretext that feels legitimate and even urgent, perhaps asking for expert input on North Korean human rights issues. Embedded in the email is a QR code, which claims to lead to a secure drive with the relevant documents. In another case from June 2025, a firm received an invitation to a non-existent conference, with the QR code promising a registration page. The goal is always the same: lure the victim into scanning the code, which then directs their mobile browser to a perfectly crafted fake login page for Google, Microsoft 365, or another service, ready to harvest their credentials.
It’s alarming to hear that these attacks are considered an ‘MFA-resilient’ vector. How exactly do adversaries manage to bypass multi-factor authentication and hijack a cloud identity even when it’s enabled?
This is the most critical part to understand. The attackers aren’t just after your password anymore. When you land on their fake portal and enter your username, password, and then approve the multi-factor authentication (MFA) push notification, they capture more than just your login details. In that moment, they intercept the session token that your browser generates to prove you are authenticated. This token is like a temporary master key. The attackers can then “replay” this token on their own machine to gain access to your cloud account, completely bypassing the need to authenticate again. Because the compromise originates on an unmanaged mobile device, it’s outside the view of normal endpoint detection, allowing them to hijack the identity without setting off alarms.
For organizations defending against this threat, what does a multi-layered technical response look like in practice?
A robust defense has to operate on multiple fronts because the attack does. First, you have to upgrade your access security. This means demanding phishing-resistant MFA for all sensitive systems, which is a step beyond the simple code-based authentication that can be easily phished. Second, you must extend your security perimeter to the mobile devices themselves. Using a Mobile Device Management (MDM) solution isn’t just about controlling apps; it should be configured to proactively scan QR codes before the device’s browser is even allowed to open the linked resource. Finally, this must be paired with diligent backend monitoring, which includes logging all credential entries and network activity that follows a QR code scan, so you can spot anomalous behavior if a compromise does occur.
Beyond technology, there’s a significant human element to this. What specific talking points or simulations should be included in employee awareness training for quishing, and what should a clear, step-by-step protocol for reporting and verifying a suspicious QR code look like?
Employee training has to evolve beyond just “don’t click on strange links.” You need to incorporate specific simulations where employees receive emails with QR codes so they can experience the lure firsthand in a safe environment. The core message should be to treat any unsolicited QR code with extreme suspicion, no matter how legitimate the source appears. The protocol must be simple and absolute: if you receive an unexpected QR code, do not scan it. Instead, verify the request through a secondary channel, like calling the sender on a known phone number. Then, there must be a clear, one-step process for reporting the email to the security team so it can be analyzed and used to warn others.
What is your forecast for the evolution of “quishing” and other mobile-centric phishing attacks?
I believe we’re at the beginning of a significant trend. Attackers have identified a major seam in enterprise security: the gap between the protected corporate environment and the often-unmanaged personal devices employees use for work. Quishing is a high-confidence, low-cost way to exploit that seam. I forecast these attacks will become more sophisticated and more common, targeting a wider range of industries. The focus will remain squarely on MFA-resilient techniques like session token theft, as this is the key to deep, persistent access in modern cloud environments. The next evolution will likely involve even more personalized lures and automated credential harvesting platforms that are harder to detect and take down.