How could organizations have prevented or detected this attack?

Implementing advanced anomaly and content-based detection, layered email security beyond image analysis, and continuous user awareness training are key to catching such non-traditional phishing methods.

Why are HTML-rendered QR codes effective at evading defenses?

Most email security tools specifically analyze image attachments for malicious QR codes, leaving HTML table-based representations less scrutinized and thus more likely to reach end users.

Innovative Phishing Campaign Evades Detection with HTML Table-Based QR Codes

Q: What compliance gaps could this phishing technique expose?

HTML-rendered QR codes can bypass automated detection controls, potentially exposing organizations to breaches of HIPAA, PCI DSS, and NIST requirements for monitoring and filtering malicious content in electronic communications.

A 2023 phishing campaign employed imageless, HTML-rendered QR codes to compromise email defenses and redirect victims to credential harvesting sites.

Published: January 11, 2026

Share this on:

Executive Summary

In late December 2023, a novel phishing campaign was observed in which attackers delivered emails containing QR codes crafted not from traditional images, but rendered using HTML tables. The campaign targeted end users with messages between December 22nd and December 26th, embedding visually normal but technically 'imageless' QR codes. When scanned, these QR codes redirected victims to phishing domains customized per recipient, aiming to harvest credentials. By sidestepping standard image-based security controls, these emails successfully bypassed common email security gateways designed to detect embedded malicious QR codes.

This incident highlights adversary innovation in evading current email security technologies by exploiting overlooked content formats. It underscores ongoing risks as attackers adapt tactics to defeat both legacy and modern defensive controls. As sophisticated phishing methods proliferate, organizations must focus on layered defenses and continuous user education.

Why This Matters Now

Attackers are increasingly bypassing established email defenses by rendering malicious content through unconventional methods, such as HTML-based QR codes. This approach evades detection by traditional image-analysis tools, emphasizing the urgent need for organizations to update both their technical controls and user training to counter rapidly evolving phishing techniques.

Attack Path Analysis

Attackers delivered phishing emails with QR codes rendered via HTML tables to evade image-based detection, tricking users into scanning and visiting malicious websites. Upon login at these sites, victims may have unknowingly supplied credentials or access tokens. With compromised credentials, adversaries could attempt to access more privileged cloud resources. If successful, lateral movement may be possible within the cloud environment. Adversaries establish communication with their infrastructure for control or further exploitation, and may exfiltrate sensitive data. The final impact depends on how the stolen information is used, including potential account takeover or data breach.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Lowinferred

Impact

Lowinferred

Initial Compromise

Description

Users receive phishing emails using cleverly rendered HTML table QR codes that link to malicious domains, enticing victims to scan and authenticate, leading to credential harvesting.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2024-8914
CVSS 7.2
A stored cross-site scripting vulnerability in the Thanh Toán Quét Mã QR Code Tự Động plugin allows unauthenticated attackers to inject malicious scripts into web pages.
Affected Products:
Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay – <= 2.0.1
Exploit Status:
no public exploit
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-8914 https://cve.armis.com/cve-2024-8914
CVE-2023-5567
CVSS 6.5
The QR Code Tag plugin for WordPress is vulnerable to stored cross-site scripting via the 'qrcodetag' shortcode, allowing authenticated attackers to inject arbitrary web scripts.
Affected Products:
WordPress QR Code Tag Plugin – <= 1.0
Exploit Status:
no public exploit
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-5567

MITRE ATT&CK® Techniques

Technique selection reflects phishing via QR code obfuscation, defense evasion through HTML rendering and impersonation tactics. For full enrichment, further STIX/TAXII correlation may be performed.

Initial Access

T1566.001

Phishing: Spearphishing Attachment

Initial Access

T1566.002

Phishing: Spearphishing Link

Execution

T1204.001

User Execution: Malicious Link

Defense Evasion

T1036

Masquerading

Defense Evasion

T1140

Deobfuscate/Decode Files or Information

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Reconnaissance

T1598.002

Phishing for Information: Spearphishing via Service

Defense Evasion

T1562

Impair Defenses

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS v4.0 – Anti-Phishing Mechanisms

Control ID: 5.4.1

Attack bypassed standard email anti-phishing safeguards by obfuscating the malicious QR code through HTML tables, undermining technical controls mandated to detect and block phishing attempts targeting payment data environments.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident highlights inadequate adaptation of policy and controls to evolving social engineering tactics, exposing weaknesses in organizational defenses and user training as required under NYDFS cybersecurity policies.

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

Control ID: Art. 8(2)

Failure to anticipate and detect novel obfuscation techniques for phishing content demonstrates insufficient operational resilience and monitoring capabilities as outlined in DORA.

CISA Zero Trust Maturity Model 2.0 – Continuous Detection and Analysis of Communication Channels

Control ID: Email & Communication Protection

Email defense mechanisms did not adequately analyze nontraditional encodings of malicious content, such as HTML-rendered QR codes, exposing gaps in layered zero trust protections for user communications.

NIS2 Directive – Security of Network and Information Systems

Control ID: Article 21(2)(d)

Inadequacies in detecting sophisticated social engineering indicated nonconformance with requirements for ensuring the security and integrity of network and information systems against phishing threats.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

HTML table-based QR code phishing bypasses traditional security controls, threatening transaction authentication systems and requiring enhanced egress security policy enforcement capabilities.

Health Care / Life Sciences

Imageless QR code techniques evade detection mechanisms, compromising patient data access portals and violating HIPAA compliance requirements for secure communication protocols.

Computer Software/Engineering

Novel HTML rendering attacks exploit assumptions in security tooling, necessitating zero trust segmentation and enhanced threat detection capabilities for software development environments.

Higher Education/Acadamia

QR code phishing campaigns target credential harvesting through academic portals, requiring improved user awareness training and multicloud visibility control implementations.

Sources

A phishing campaign with QR codes rendered using an HTML table, (Wed, Jan 7th)https://isc.sans.edu/diary/rss/32606
Verified

Cybercriminals use HTML to hide QR code phishinghttps://cybernews.com/security/cybercrooks-use-html-to-hide-qr-code-phishing/

Verified

HTML tables facilitate clandestine QR code phishinghttps://www.scworld.com/brief/html-tables-facilitate-clandestine-qr-code-phishing

Verified

Frequently Asked Questions

HTML-rendered QR codes can bypass automated detection controls, potentially exposing organizations to breaches of HIPAA, PCI DSS, and NIST requirements for monitoring and filtering malicious content in electronic communications.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Zero Trust segmentation, egress controls, and continuous threat detection could have limited attacker movement, blocked malicious outbound connections, and detected anomalous QR code phishing patterns within the environment, substantially reducing risk at multiple kill chain stages.

Initial Compromise

Control: Threat Detection & Anomaly Response

Mitigation: Early phishing or unusual traffic patterns flagged for investigation.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Privilege escalation attempts are blocked by least-privilege and identity-based segmentation.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Detection and control of unauthorized internal traffic limits movement.

Command & Control

Control: Egress Security & Policy Enforcement

Mitigation: Outbound connections to malicious domains are blocked or logged for threat investigation.

Exfiltration

Control: Cloud Firewall (ACF)

Mitigation: Exfiltration channels are blocked, data loss is minimized.

Impact (Mitigations)

Automated enforcement and visibility reduce the window of impact and support rapid response.

Impact at a Glance

Affected Business Functions

Email Communications
User Authentication

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of user credentials and sensitive information due to phishing attacks leading to unauthorized access.

Recommended Actions

• Enhance email and endpoint detection for abnormal QR code and HTML-based phishing tactics.
• Enforce Zero Trust segmentation and identity-aware access controls to prevent lateral movement with compromised credentials.
• Implement robust egress filtering and DNS/FQDN controls to block malicious outbound and C2 connections.
• Maintain comprehensive east-west traffic visibility to detect and restrict suspicious workload communication.
• Continuously update threat intelligence and anomaly detection mechanisms to quickly flag emerging phishing delivery methods.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Innovative Phishing Campaign Evades Detection with HTML Table-Based QR Codes

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2024-8914

Affected Products:

Exploit Status:

References:

CVE-2023-5567

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Phishing: Spearphishing Attachment

Phishing: Spearphishing Link

User Execution: Malicious Link

Masquerading

Deobfuscate/Decode Files or Information

Application Layer Protocol: Web Protocols

Phishing for Information: Spearphishing via Service

Impair Defenses

Potential Compliance Exposure

PCI DSS v4.0 – Anti-Phishing Mechanisms

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

CISA Zero Trust Maturity Model 2.0 – Continuous Detection and Analysis of Communication Channels

NIS2 Directive – Security of Network and Information Systems

Sector Implications

Financial Services

Health Care / Life Sciences

Computer Software/Engineering

Higher Education/Acadamia

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads