Quishing Forensics: Beyond the Buzzword to the Email Header

The alert lands in your queue. A user forwarded a suspicious email with the subject 'Action Required: Multi-Factor Authentication Update'. No links in the body, no malicious attachments flagged by the gateway. The message body is just one centered image: a QR code.

This is 'quishing'—QR code phishing. And it’s effective precisely because it sidesteps a decade of security tooling built to parse text. Most Secure Email Gateways (SEGs) are looking for `href` attributes in HTML and plaintext URLs. They aren't running Optical Character Recognition (OCR) on every inline image. That's computationally expensive and, until recently, a solution in search of a problem.

Attackers are exploiting this gap. They know your scanner sees an inert `image/png` and gives it a pass. But for an analyst, that image isn't inert. It's a container for the real payload, and deconstructing it is pure, fundamental email forensics.

Anatomy of an Evasion: Why Scanners Are Blind

Your email gateway is brutally efficient because it makes assumptions. It assumes malicious links live in predictable places: `text/plain` parts of a MIME message or anchor tags within the `text/html` part. It can parse these structures in microseconds, check the URL against reputation feeds, and drop or quarantine the message before it ever hits an inbox.

A QR code blows this model up. The URL isn't text; it's pixels. It’s encoded in an `image/jpeg` or `image/png` file, which is then embedded directly into the email body. To a traditional scanner, the email contains harmless HTML that just happens to display an image. It has no more reason to be suspicious of a QR code image than it does of your company's logo in the email signature.

The CID Embedding Trick

Threat actors typically embed these images using the CID (Content-ID) method. Instead of hosting the image on an external server and linking to it, they attach the image to the email itself as a distinct MIME part. The HTML body then references this attached image via a `cid:` URI. This makes the email self-contained, ensuring the QR code renders even in email clients that block external images by default. It also means the entire malicious package—phishing lure and all—is delivered in one neat bundle.

This isn't a flaw in the SEG, it's a design trade-off. Running OCR on every single image in every single email would introduce significant latency and processing overhead. Attackers simply found the path of least computational resistance.

The Forensic Chain: From Image to URL

When you get one of these, don't reach for your phone to scan the code. That’s an uncontrolled action that puts your device and network at risk. The investigation happens on your analysis machine, where you can contain the threat. Your job is to reverse the attacker's steps: extract the image, decode the data, and analyze the resulting URL in a sandbox.

Step 1: Extracting the Image from the MIME Body

First, get the raw source of the email. You're looking for the MIME structure. You'll see the `text/html` part that contains the message body, and within it, an image tag like `<img src="cid:some_unique_identifier">`. That `Content-ID` is your key.

Scroll down through the raw source until you find the corresponding MIME part for the image. It will have a header declaring the `Content-Type` (e.g., `image/png`) and the `Content-ID` that matches the `src` attribute. Below those headers is a block of base64-encoded text. This is your image file. Copy that block of text, decode it using a tool like `base64 -d`, and save it to a file (e.g., `qr_payload.png`).

Step 2: Decoding the QR Code Safely

With the image file saved, you can now decode it from the command line. Tools like `zbarimg` are perfect for this. Running `zbarimg qr_payload.png` will spit out the decoded text directly to your terminal. Python libraries like `pyzbar` and `opencv-python` can also accomplish this in a few lines of script if you need to automate.

The output is your malicious URL. Now you're back on familiar ground. Take this URL and submit it to a sandbox service like urlscan.io. Look for redirection chains, drive-by downloads, and the final landing page. Is it a credential harvesting form skinned to look like your company's SSO page? Document the entire chain.

Don't Forget the Envelope: Header Telemetry Is Ground Truth

The QR code is the payload, but the email headers are the crime scene. An analyst who ignores the headers is missing half the story. The attacker's methods for delivering the message can tell you more than the payload itself.

Start with the `Authentication-Results` header. This is where the receiving mail server records the verdicts for the core email authentication protocols: SPF (RFC 7208), DKIM (RFC 6376), and DMARC (RFC 7489). These verdicts tell you whether the sender is who they claim to be.

Authentication-Results: mx.google.com; dkim=pass header.i=@legit-partner.com; spf=pass (google.com: domain of sender@legit-partner.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=sender@legit-partner.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=legit-partner.com

A `dmarc=pass` from a compromised vendor account is a vastly different incident than a `dmarc=fail` from a typosquatted domain. The first is a Business Email Compromise (BEC) scenario that requires notifying the partner. The second is a common-or-garden phish that you can block and forget. This context is operationally critical.

Next, walk the `Received` headers from bottom to top. These trace the email's path across the internet. Where did the message originate? The first `Received` header will show the server that initially accepted the email from the sender's client. Is the IP address from a known cloud provider, a residential ISP, or a country you don't do business with? These are all powerful signals for detection rules and threat hunting.

Scaling Your Response: From Single Alert to Proactive Hunt

Triaging one quishing email is good. Building a system to catch all of them is better.

Image Hashing Is Your Best Friend

Once you've extracted the `qr_payload.png` file, calculate its SHA256 hash. This hash is now a high-fidelity indicator of compromise. You can immediately search your mail logs, SIEM, or EDR data for any other emails that contained an image with the same hash. One user reported it, but how many others received it and didn't?

This hash-based hunting is fast, effective, and allows you to quantify the scope of a campaign instantly. It turns a reactive incident response into a proactive threat hunt. You might find the same QR code image being delivered from hundreds of different compromised mailboxes or throwaway domains.

Gateway Controls and the OCR Arms Race

Security vendors are now in an arms race with attackers. In response to quishing, more advanced gateways are integrating OCR capabilities directly into their scanning pipelines. These systems can, in theory, decode the QR code and analyze the URL before delivery. It's a powerful countermeasure, but it’s not foolproof. Attackers can attempt to thwart OCR by distorting the image, adding visual noise, or partially obscuring the code.

Another strategy is Content Disarm and Reconstruction (CDR). A gateway configured with CDR might strip all images from external emails or, more elegantly, re-render them. The process of re-encoding an image can sometimes break a cleverly malformed QR code or strip out other hidden metadata, effectively neutralizing it.

The takeaway

Quishing isn't some new, unsolvable class of threat. It is a clever but fundamentally simple obfuscation tactic designed to exploit a logical gap in legacy security stacks. By treating the image as just another container for a malicious payload, you can fall back on a proven forensic process: deconstruct the payload, analyze its behavior, and pivot on the telemetry you find in the headers.

The core skill remains the same: understanding how email works at the protocol level. All the clues to sender identity, message path, and delivery mechanism are written in the headers. Platforms like MailSleuth.AI are designed to surface these complex relationships, but the human analyst's ability to interpret that data is what ultimately separates a quick mitigation from a full-blown incident.