Observed Campaign Characteristics (Q4 2025 – Q1 2026)
Over 47 distinct phishing kits now incorporate one or more of the following bypass techniques:
- QR code delivery with encoded malicious URLs
- HTML smuggling via legitimate file types (.ics, .msg)
- Zero-font / font-substitution obfuscation
- Living-off-trusted-sites (abusing sharepoint / onedrive links)
- Dynamic payload delivery through JavaScript-heavy landing pages
Detection & Prevention Stack Recommendations
1. Enable Safe Links with real-time URL scanning
2. Configure anti-phishing policies to block QR code attachments
3. Deploy browser isolation (Chrome Enterprise / Edge) for high-risk users
4. Use third-party sandbox detonators for .msg / .ics files
5. Train users with simulated QR phishing campaigns