## A New Phishing Tactic: Evading Detection with Table-Rendered QR Codes

A New Phishing Tactic: Evading Detection with Table-Rendered QR Codes

---

Introduction: The Evolving Scourge of QR Code Phishing

Cybercriminals keep finding fresh ways to weaponize QR codes—those little squares we scan everywhere from menus to emails. This scam, called "quishing," hijacks people’s trust in QR codes and sneaks past security defenses. Sure, companies like Proofpoint and Cloudflare have rolled out tools to scan suspicious image-based QR codes in emails (1, 2). But just when defenses catch up? Attackers pivot. Case in point: a campaign last December where hackers ditched images entirely. Instead, they built QR codes using hundreds of HTML table cells—no image files attached.

---

The Anatomy of an Unseen Attack

Picture this phishing email: bare-bones text and a QR code urging you to “verify account access.” The code looked oddly compact but otherwise normal. Here’s the twist—it wasn’t an image. Hackers constructed it pixel by pixel using HTML tables filled with black (

#000000

) or white (

#FFFFFF

) cells.

Like this snippet:

<table role="presentation" border="0" cellpadding="0" cellspacing="0" width="180" height="180" align="center">  
  <tr height="4">  
    <td width="4" height="4" bgcolor="#000000"></td>  
    <td width="4" height="4" bgcolor="#000000"></td>  
    <td width="4" height="4" bgcolor="#FFFFFF"></td>  
    ... <!-- additional cells forming the QR pattern -->
  </tr>  
</table>  

Why’s this clever? Most email scanners hunt for malicious images or attachments. They often overlook HTML tables rendering content dynamically. That gap? Exploited flawlessly.

---

Technical Context and Historical Precedents

Using tables to fake QR codes isn’t brand-new, honestly. Security pro Melvin Langvik demoed it back at DEF CON 32, showing how pixel-based designs slip through modern defenses (3). But seeing it actively deployed in December 2023? That’s troubling. With security teams hyper-focused on image analysis, attackers grabbed an easy win. It’s classic cat-and-mouse—defenses evolve, hackers innovate.

---

The Payload: Structured Deception

Scanned one of these table-based QR codes? You’d land on a subdomain of

lidoustoo[.]click

. The first sample (December 22nd) used

onedrive[.]lidoustoo[.]click

. Later versions followed a sneaky format:

hxxps[:]//<domain from recipient e-mail><decimal or hexadecimal string>[.]lidoustoo[.]click/<alphanumeric string>/$<recipient e-mail>

See how it weaves in your email domain? That personal touch makes the link feel legitimate. Scary smart.

---

Why Tables Break Traditional Defenses

Jan Kopriva from Nettles Consulting hit the nail on the head: security tools assume QR codes are images. Tables destroy that assumption. Scanners often skip deep HTML table analysis, prioritizing attachments or suspicious URLs instead. Net result? These phishing emails glide past automated filters.

---

Implications: Beyond Technical Fixes

This whole mess drives home two big lessons:

1. Assumptions Create Vulnerabilities: When scanners dismiss unusual formats (like HTML-based QR codes), attackers thrive. We need smarter heuristics, not just signature checks.
2. The Human Factor: Honestly, even top-notch tech struggles if users cooperate. Crooks manipulate behavior—how many people scan QR codes without hesitation?

Cloudflare says it best: marrying tech upgrades with user training is essential. Awareness campaigns matter (2). Teams need to spot all phishing traps, not just email links.

---

Conclusion: Toward Holistic Security Resilience

QR phishing thrives where tech and human trust collide. Kopriva’s right—this problem isn’t vanishing by 2026. Staying ahead means:

• Smarter Tools: Email scanners that inspect dynamic HTML.
• Sharper Teams: Regular training to recognize traps like table-built QR codes.
  The takeaway? Security’s an endless race. Attackers adapt, so our defenses can’t stand still.

---

References:

1. Proofpoint: Malicious QR Code Detection Takes Giant Leap Forward
2. Cloudflare: What Is Quishing?
3. Melvin Langvik: Evading Modern Defenses When Phishing with Pixels

---

Jan Kopriva
Nettles Consulting
LinkedIn