Microsoft Threat Intelligence published its Q1 2026 email threat landscape report on April 30. The headline figure was 8.3 billion email-based phishing threats detected in the first three months of the year. Monthly volumes ran from 2.9 billion in January to 2.6 billion in March, which sounds like a decline until you read what was actually growing inside those numbers.
QR code phishing, a technique security researchers call quishing, grew 146% over the quarter, rising from 7.6 million attacks in January to 18.7 million in March. It was the fastest-growing attack vector tracked in the report. In March alone, QR codes embedded directly in email bodies rather than inside attachments surged 336%. CAPTCHA-gated phishing more than doubled in the same month.
These numbers represent the volume of attacks that were detected and blocked. The campaigns that slipped through are, by definition, not in the count.
The Quish Splash Campaign: How Attackers Passed Every Filter
In March 2026, security researchers at 7AI published an analysis of a quishing operation they named “Quish Splash.” The campaign ran across three waves between February 26 and March 18, 2026. The researchers initially observed 28 phishing emails reaching enterprise inboxes undetected. When they examined the attacker’s tracking infrastructure, the actual campaign scale became clear: over 1.6 million emails delivered to organizations across multiple industries in less than three weeks.
The emails passed SPF, DKIM, and DMARC authentication. Not because those controls failed, but because the attackers had configured them correctly on their own domain.
This is worth slowing down on. The attackers did not spoof a legitimate brand’s domain. They registered a domain of their own, published valid SPF records, configured DKIM signing, and set a DMARC policy. The emails arrived at receiving mail servers appearing to be exactly what they claimed to be: authenticated messages from a known sending source.
The payload was invisible to every text-based scanner in the delivery path. The attackers encoded phishing URLs inside BMP image files attached to the messages. No link appeared in the email body that a URL scanner could evaluate. Each recipient received a unique QR code embedded in the image, which defeated bulk-sample detection systems. Scanning the QR code redirected the victim to a credential-harvesting page, and because the user had shifted from an enterprise-secured laptop to a personal mobile device, they also left behind the security tooling their employer had deployed.
What DMARC Does and Does Not Stop
The Quish Splash campaign illustrates an important boundary in what DMARC can protect against.
DMARC stops domain spoofing. If an attacker wants to send emails claiming to come from your organization’s domain, a DMARC record at p=reject tells every receiving mail server in the world to reject those messages. The attacker cannot successfully impersonate your domain’s email identity without passing SPF or DKIM authentication for that domain. That protection is real, it is globally enforced, and it eliminates an entire category of attack that would otherwise scale with no technical barrier.
What DMARC does not stop is an attacker who registers a fresh domain, authenticates it correctly, and uses it to conduct a campaign. In the Quish Splash operation, DMARC worked exactly as designed: it correctly identified the sending domain as authenticated. The problem was not the authentication result. The problem was that the authenticated domain was controlled by attackers.
Understanding this boundary is not an argument against DMARC. It is an argument for understanding what each control in a security stack does. DMARC belongs in every organization’s email security posture. It just does not make every other layer of defense unnecessary.
Why QR Codes Bypass Standard Email Security
The mechanics of why QR codes evade conventional email security controls are straightforward once you understand what those controls actually scan.
Spam filters, URL scanners, and content-analysis tools operate primarily on text. They extract links from email bodies and HTML, check those links against threat intelligence databases, evaluate the text of the message for suspicious patterns, and score the message based on what they find.
A phishing URL encoded as a QR code inside an image file is invisible to this entire process. No link exists in the email text for a scanner to extract. The image itself contains the threat, but image analysis for embedded QR codes is computationally expensive and was not a standard component of most email gateway architectures when QR code phishing was a novelty.
QR code phishing has not been a novelty for some time. Quishing accounted for 12% of all phishing attacks globally in 2025, up from 0.8% in 2021. Mimecast alone detected over 716,000 unique malicious QR codes in a single quarter of 2025. The technique has industrialized, and the organizations that built their email security around text-based detection have a significant gap.
The Mobile Device Problem
There is a second layer to why quishing is particularly effective that has nothing to do with email security technology.
When an employee scans a QR code in an email on their work laptop, they typically do so with their personal mobile phone. The moment that happens, the session moves from a device under the organization’s security management to a device that may have no enterprise security tooling at all: no endpoint detection, no web filtering, no certificate inspection, no conditional access policy enforcement.
An attacker who delivers a QR code phishing page to an employee’s mobile browser is operating in an environment where the organization has very little visibility and even less control. Even if the employee’s laptop would have blocked the phishing URL, the phone might not.
Microsoft’s Q1 report documented a corresponding shift in attacker technique: 78% of email threats were link-based, but the trend toward QR codes and payload-in-image delivery is explicitly framed as a response to defenders getting better at link analysis. Attackers adapt to what security controls are actually checking, and they have been adapting to bypass text-based email scanners for years.
What a Layered Defense Actually Looks Like
The right response to quishing is not to abandon email security fundamentals. It is to add the layers that quishing actually requires.
DMARC enforcement on your own domain remains essential. The Quish Splash attackers did not spoof anyone’s domain. But plenty of other quishing campaigns do spoof legitimate domains to add credibility to their lures. Your DMARC record at p=reject prevents your domain from being used as the spoofed identity in those campaigns. It also protects your recipients from receiving spoofed mail that appears to come from you. That protection matters even if it does not directly stop a Quish Splash-style fresh-domain campaign.
DMARC reporting reveals your authentication footprint. Aggregate reports from your DMARC record show every source sending mail in your domain’s name. If attackers are probing or testing against your domain, or if a vendor in your supply chain is unknowingly being used as a relay, that activity often surfaces in aggregate report data before it surfaces anywhere else.
QR code-aware gateway controls address the detection gap. Several major email security vendors have added QR code image extraction and link analysis to their scanning stacks in the past eighteen months. If your email security gateway does not include this capability, the Quish Splash numbers illustrate what that gap costs.
BIMI makes legitimate sender identity visually verifiable. A brand logo visible in a BIMI-enabled inbox is a signal that the sending domain has passed DMARC enforcement and completed third-party VMC verification. It does not stop fresh-domain quishing campaigns, but it gives recipients a reliable positive signal for identifying legitimate mail from your brand, which makes spoofed or impersonating messages easier to recognize by contrast.
Mobile device management and web filtering for managed mobile devices close the device-shift gap. If employees scan QR codes on managed mobile devices with web filtering enforced, the session stays inside the organization’s security perimeter. Unmanaged personal devices remain a gap, but reducing the number of scenarios where a victim’s session falls entirely outside enterprise security coverage reduces the attack surface.
The Broader Trend Behind the Numbers
The 146% growth in QR code phishing over a single quarter is not a surprise to researchers who have been watching the technique since 2023. It is a predictable consequence of defenders improving at one thing and attackers responding by shifting to something else.
Credential phishing represented 94% of payload-based attacks by March 2026, according to Microsoft’s data. The goal of the campaign is consistent: get the target to enter credentials. The delivery mechanism is variable: links, attachments, QR codes, CAPTCHA gates, any technique that evades the current generation of detection at scale. When one technique gets caught more reliably, volume shifts to another.
Microsoft’s March disruption of the Tycoon2FA phishing-as-a-service platform caused associated email volume to drop 15% for the remainder of the month. The group adapted by shifting hosting providers. The volume recovered. The pattern is consistent across the history of email-based attacks: campaigns that get disrupted adapt and return, and the aggregate volume is determined more by attacker economics than by any single defensive intervention.
The controls that remain effective across this evolution are those that operate on properties that are harder for attackers to fake. Authenticated sender identity, verified by DMARC against SPF and DKIM, is one such property. A fresh malicious domain can be authenticated, but it carries no reputation, no established history, and no brand recognition. Those signals, when combined with sender authentication, form a more durable detection surface than content scanning alone.
Excello Mail gives you full visibility into your domain’s authentication status – aggregate report analysis, source discovery, DMARC policy management, and enforcement guidance in one managed platform. Sign up free at excello.email →