Post cover image

June 4, 2026

Emerging Phishing Trend: QR Code Attacks Hidden Inside Calendar Invites

Cybercriminals continue to evolve their phishing techniques to evade traditional email security controls, and one emerging tactic gaining…

Dulitha Wickramasinghe

4 min read

Cybercriminals continue to evolve their phishing techniques to evade traditional email security controls, and one emerging tactic gaining traction involves QR codes embedded within calendar (.ics) attachments. Recent phishing campaigns have demonstrated how attackers are combining multiple evasion techniques into a single attack chain, making detection significantly more difficult for both users and security technologies.

How the Attack Works

This campaign uses a multi-stage phishing workflow designed to reduce detection visibility and increase the likelihood of credential compromise.

  1. Initial Delivery — Calendar Invite Attachments
  • Victims receive phishing emails containing malicious .ics calendar invite attachments.
  • Because calendar invitations are commonly used in business environments, they may receive less scrutiny than traditional malicious attachments such as executables or macro-enabled documents. In some environments, email security controls may also perform limited inspection of calendar content.
None

2. Embedded QR Code Inside the Calendar Event

  • Within the calendar event description, attackers embed a QR code containing a malicious URL.
  • This technique is commonly referred to as "QR phishing" or "quishing." It enables attackers to bypass traditional email inspection mechanisms such as URL-based, content-based, and threat intelligence-based detection particularly in environments that lack advanced email security and deep content analysis capabilities.
  • Instead of clicking a visible hyperlink, users scan the QR code using a mobile device, shifting the attack flow outside many traditional endpoint and browser security controls.
None

3. Redirection to a Spoofed Authentication Portal

  • Once scanned, the QR code redirects the victim to a fake authentication page impersonating services such as Microsoft 365.
  • The phishing page is designed to harvest user credentials while appearing visually identical to a legitimate corporate login portal.
None

4. Adversary in the Middle (AITM) Phishing Infrastructure

  • In more advanced campaigns, attackers use Adversary in the Middle (AITM) frameworks such as: Evilginx, Modlishka, Sneaky 2FA.
  • These tools act as reverse proxies between the victim and the legitimate authentication service, allowing attackers to: Intercept authentication traffic, Capture session cookies and tokens, Hijack authenticated sessions and Bypass Multi-Factor Authentication (MFA).
  • Importantly, attackers are not breaking MFA itself. Instead, they steal authenticated session tokens after successful MFA validation, enabling unauthorized access without needing the second authentication factor again.

Why This Technique Is Effective

This attack chain combines multiple evasion techniques that exploit both technical and human weaknesses.

  • Reduced Visibility for Traditional Email Security Controls: Many email security solutions primarily focus on detecting malicious links and attachments. QR codes embedded within calendar content may receive limited inspection, particularly if image analysis or QR decoding capabilities are not enabled or available.
  • Increased Trust in Calendar Invitations: Users are used to receiving meeting requests and calendar updates in business environments, making malicious calendar invitations appear more legitimate and less suspicious.
  • Mobile Device Attack Surface: QR phishing frequently shifts user interaction to mobile devices, where organizations often have reduced visibility and weaker security controls. In many cases, users scan QR codes using unmanaged personal devices, and authentication takes place outside managed corporate browsers, meaning endpoint telemetry and browser-based protections may not be applied. As a result, this creates a significant monitoring gap for analysts, limiting their ability to detect and respond to potential compromise.
  • MFA Bypass Through Session Hijacking: Organizations with strong MFA enforcement can still be vulnerable when attackers target authenticated session tokens rather than credentials alone. Because the user completes the authentication process legitimately, the resulting session may appear valid to identity providers and security monitoring platforms.

Detection Challenges

One of the most significant challenges associated with this attack technique is limited visibility during the compromise process.

Organizations may struggle to determine whether users:

  • Scanned the QR code
  • Visited the phishing infrastructure
  • Submitted credentials
  • Had their session tokens stolen

Traditional authentication logs may not immediately reveal compromise because:

  • Sign-ins can appear legitimate
  • MFA challenges are successfully completed
  • Sessions may originate from geographically proximate infrastructure
  • Token reuse may blend into normal user activity

Without advanced identity monitoring, network telemetry, or session analysis, malicious activity can remain undetected for extended periods.

The following Microsoft Defender XDR KQL query can be used to identify potentially suspicious .ics calendar invite attachments delivered to users, including mails associated with phishing or malicious activity classifications.

EmailAttachmentInfo
| where FileName endswith ".ics"
| join kind=inner (
    EmailEvents
    | project NetworkMessageId,
              Timestamp,
              SenderFromAddress,
              SenderMailFromAddress,
              RecipientEmailAddress,
              Subject,
              DeliveryAction,
              ThreatTypes,
              ConfidenceLevel,
              EmailAction
) on NetworkMessageId
| where isnotempty(ThreatTypes)
| project Timestamp,
          SenderFromAddress,
          SenderMailFromAddress,
          RecipientEmailAddress,
          Subject,
          FileName,
          SHA256,
          FileSize,
          DeliveryAction,
          ThreatTypes,
          ConfidenceLevel,
          EmailAction,
          NetworkMessageId
| order by Timestamp desc

MITRE ATT&CK Mapping

Tactic:

  • Initial Access (TA0001)

Techniques

  • Spearphishing Attachment (T1566.001)
  • User Execution (T1204)
  • Steal Web Session Cookie (T1539)

Key Defensive Recommendations

  • Expand Email Inspection Capabilities: Organizations should implement security controls capable of inspecting .ics calendar attachments, extracting and analyzing embedded QR codes, and performing image and OCR-based inspection. These capabilities enable detection of hidden or obfuscated malicious content that may bypass traditional email security mechanisms
  • Treat QR Codes as High-Risk Content: QR codes should be treated similarly to clickable hyperlinks from a security perspective. User awareness training should emphasize the importance of verifying unexpected QR codes, avoiding authentication through QR-initiated or external login pages, and maintaining caution when interacting with unknown or unsolicited calendar invites.
  • Strengthen Identity and Session Monitoring: Organizations should enhance monitoring capabilities to detect suspicious session activity, session token abuse, device inconsistencies, impossible travel scenarios, and abnormal authentication patterns. In addition, implementing controls such as Conditional Access policies, device compliance enforcement, session risk evaluation, and token protection mechanisms can significantly improve the ability to identify and mitigate identity-based threats.
  • Improve Mobile Security Visibility: Where possible, organizations should enforce access from managed devices and restrict high-risk authentication attempts originating from unmanaged devices. These measures help reduce the attack surface and ensure that authentication activities occur within controlled and monitored environments.
  • Implement Rapid Response Procedures: If malicious calendar invitations are identified, organizations should remove the phishing emails from all affected mailboxes, block associated domains and reset the credentials of impacted users. Additionally, active sessions should be revoked to prevent unauthorized access. A thorough review of authentication logs and mailbox activity particularly mailbox rules should also be conducted to identify any indicators of compromise.