146% in 60 Days: Inside the QR Phishing Surge Your Stack Can't See

Microsoft's March 2026 telemetry tells a clean story: QR code phishing surged 146% between January and March of this year.

That's not the alarming part.

The alarming part is why it's surging. QR phishing, sometimes called "quishing," isn't a clever new exploit. It's not a zero-day. There's no CVE to patch, no signature to push, no IOC to feed into your SIEM.

It's surging because it bypasses, by design, almost every layer of the modern email security stack.

The mechanics: why your stack misses it

A typical quishing campaign in 2026 looks like this.

Your employee receives an email — often appearing to come from internal IT, an HR system, or a vendor portal. The email contains a PDF, or a Word doc, or sometimes an embedded image directly in the body. Inside that attachment: a QR code.

There is no malicious URL in the email body. No suspicious attachment in the traditional sense. No malware. No macros. The QR code is just an image — a pattern of black squares.

Your email security gateway is built to scan text, links, attachments, and known malicious file hashes. None of that triggers on an image of a QR code.

Your employee opens the PDF. The pretext is built to migrate them from a managed surface (their laptop) to an unmanaged one (their phone): "Scan to verify your Microsoft 365 session" or "Scan to access your secure document."

They scan. The redirect happens on the phone's browser — off your network, off your EDR, off your DLP. They land on a credential harvesting page hosted on a domain you've never seen, with a TLS cert that's less than 24 hours old.

They enter their credentials. The attacker now has access to your Microsoft 365 environment.

Your security stack has logged nothing.

Why "no patch" is the entire problem

For most threats, the playbook is: detect, patch, update controls, monitor. Quishing breaks that playbook because there's nothing to patch.

The vulnerability isn't in a piece of software. It's in the architectural gap between three layers of your security model:

• Your corporate infrastructure, which is well-instrumented

• Your employee's mobile device, which is largely unmanaged

• The browser session on that mobile device, which is invisible to your stack

Attackers found the seam between those three layers and built an industry inside it. The 146% growth Microsoft observed isn't because the attack got more sophisticated. It's because more operators figured out the gap is reliable.

The asymmetry, in real numbers

Here's where it gets uncomfortable.

Spinning up a quishing campaign in 2026 is fast. Phishing kits with QR generation are available off-the-shelf. A competent operator can configure a campaign — domain registration, TLS cert, lure document, target list — in well under an hour. Per-victim execution, from email send to credential capture, often runs 10 to 15 minutes.

For your team, the workflow looks fundamentally different.

The credential compromise isn't logged because the attack happened off your network. The first signal is usually anomalous account behavior — a login from a new geography, a session creating unusual mailbox rules, or a downstream phishing email sent from the compromised account.

Once that signal fires, your IR team has to:

• Identify the originating campaign across inbox telemetry

• Determine which other employees received the same lure

• Map the attacker's infrastructure: redirect domain, credential harvest endpoint, subsequent hops

• Correlate against threat intel feeds to identify the operator

• Roll credentials for affected users and review session activity for downstream compromise

• Update controls — domain blocklists, conditional access policies, user training

A thorough run of this loop takes roughly 96 hours.

96 minutes to compromise. 96 hours to map and respond.

That's a 4-day, 22-hour window where the attacker continues to iterate — registering fresh domains, rotating lure documents, hitting new targets — while your team is still pulling logs from the first incident.

The math isn't subtle.

What CISOs should actually be asking

The instinct, when faced with quishing, is to push harder on user training. Train employees not to scan QR codes from emails. Tighten mobile device management. Audit DLP policies.

Those are all reasonable steps. None of them close the time gap.

The harder questions for a CISO right now:

• Is this campaign already in our environment, and we just haven't detected it yet?

• How many of our employees received a QR-bearing email in the last 60 days?

• Which of our domains are being spoofed in active campaigns right now?

• If a credential is compromised tonight, how long before we know?

Each of those requires correlating intelligence across multiple sources — email telemetry, threat feeds, domain reputation databases, brand monitoring platforms, dark web indicators. Each lives in a different tool. Each requires manual stitching to produce an answer that's actually actionable.

That stitching is where the 96 hours goes.

The gap that has to close

There's nothing wrong with your team's analytical work. CTI analysts at most enterprises produce excellent intelligence. The problem is that the workflow surrounding their analysis is built for a slower era — one where attacker setup time was measured in days, not minutes.

AgentCypher exists to close that gap. When a campaign like the March 2026 quishing surge breaks, AgentCypher simultaneously queries over a 100 threat intelligence sources, correlates findings against your specific tech stack and sector, identifies active infrastructure, and produces a board-ready brief — in minutes, not days.

The campaign is still active. Your environment may or may not be in it. The only variable that matters is how fast you can find out.

Closing

Quishing isn't the last attack vector that's going to exploit the gap between your corporate infrastructure and your employees' pockets. It's the current one. The next one is being built right now.

The defensibility question isn't whether you can stop every campaign — you can't. It's whether you can compress the gap between signal and action small enough that, when it matters, you know in minutes whether the campaign touches you.

The question for every CISO right now: which side of that gap are you operating on?