Cybercriminals are employing a novel phishing tactic by embedding malicious QR codes directly within HTML tables in emails. This innovative method allows attackers to bypass traditional email security filters that are designed to detect image-based threats. The campaign, observed between December 22nd and December 26th, utilizes these imageless QR codes to redirect unsuspecting users to phishing websites.
The phishing messages themselves are minimalist, featuring a brief lure text and a single, compact QR code block. When scanned, these QR codes direct recipients to subdomains of “lidoustoo[.]click.” To appear more legitimate, the URLs often incorporate the recipient’s own domain name within the path, creating a deceptive sense of familiarity for the victim.
Detection Evasion Through HTML Table-Based QR Codes
Researchers at the Internet Storm Center have detailed how these malicious QR codes are constructed. Instead of embedding a standard image file, attackers leverage hundreds of tiny HTML table cells, each styled with either a black or white background. This intricate arrangement of cells forms a pattern that, when rendered by a web browser, functions identically to a standard QR code. However, many email security solutions fail to recognize these HTML table structures as containing a scannable QR code. These email gateway scanners are typically tuned to detect actual image files or inline image data, leaving this HTML-based approach undetected.
The email content, from a filtering perspective, appears as benign structural markup. Content filters, which often rely on identifying known phishing keywords or image hashes, are therefore unlikely to flag these messages. This technique exploits a significant blind spot in current email security protocols, allowing the malicious payload to slip through defenses that would otherwise identify and quarantine a traditional QR code phishing attempt.
A captured sample of the malicious code reveals a dense matrix of table cells, with specific background colors used to encode the QR pattern. For example, a code snippet might define a grid of `
This innovative use of HTML tables for QR code generation presents a new challenge for cybersecurity professionals. Traditional security measures, which often rely on pattern recognition of known threat vectors, are proving insufficient. The attackers’ ability to disguise functional QR codes within seemingly innocuous HTML markup means that standard content filters and image analysis tools are rendered ineffective.
For organizations and individuals alike, this campaign serves as a stark reminder that cybersecurity defenses must evolve continuously. Relying solely on established detection methods is no longer sufficient in the face of sophisticated and adaptive attack strategies. The imageless QR code technique highlights the need for more advanced scanning capabilities, including those that can interpret dynamically rendered content and analyze the behavioral aspects of email content.
Security experts advise that email filtering solutions should be updated to treat dense HTML table grids as potential graphical renderings, thus triggering deeper analysis. Implementations of DOM-aware analysis are crucial for deconstructing the rendered email content and identifying disguised threats. Furthermore, flagging unusual external redirects, regardless of their source, is another vital step in bolstering defenses against such novel attacks.
In parallel with technological advancements, user education remains a critical component of cybersecurity. Users need to be consistently reminded that scanning QR codes from unsolicited or suspicious emails carries inherent risks, akin to clicking on unknown web links. Even when a QR code appears simple and visually unobtrusive, its origin and potential destination should always be treated with caution.
The ongoing evolution of phishing tactics, such as the use of HTML table-based QR codes, underscores the dynamic nature of the threat landscape. As attackers find new ways to circumvent existing security measures, defenders must remain vigilant and proactive. The future of email security will likely involve more sophisticated methods for analyzing email content, including its structural components and rendered appearance, to identify and neutralize emerging threats.
The Hacker News editorial team covers the latest in cybersecurity, data breaches, privacy risks, and digital defense. Our newsroom delivers verified updates and in-depth analysis to keep professionals and readers informed on global cyber threats.