Scanning it would have opened a fake login page on your phone — bypassing every email security filter in place. This is a training demo. No data was captured.
Why QR phishing works
Filters scan text, not images — email security tools inspect URLs in message text; a QR code is just a picture to them
No hover preview on mobile — on a desktop you can hover a link to see its destination; you can't do that with a QR code
Phones bypass corporate filters — your laptop routes through company web filtering; your phone camera app does not
Looks professional — QR codes appear in invoices, HR emails, parcel notices, posters, even printed on desks
Common quishing scenarios
Fake invoice email
"Scan to view your invoice" — links to a fake Microsoft or DocuSign login
Fake parcel notice
"Scan to reschedule delivery" — links to a payment or credential-stealing page
Printed desk drop
Physical flyers left in offices: "Scan to claim your staff discount"
Fake MFA prompt
"Your authenticator needs updating — scan this QR to re-enroll"
What to do before scanning any QR code
Use a QR scanner that shows the URL before opening it — most phones now do this natively
Read the full domain carefully — micros0ft.com and login-microsoft.net are not Microsoft
Ask yourself: did I expect this QR code? Unsolicited QRs in emails are a red flag
If scanned and suspicious — close immediately, do not enter credentials, report to IT