Over a span of just under three weeks, a threat actor executed a carefully designed phishing campaign that quietly landed in employee inboxes without triggering any alarms. Not a single email was blocked. No automated systems flagged it. Even standard authentication checks like SPF, DKIM, and DMARC were passed without issue.
What made this attack particularly effective wasn’t complexity—it was subtlety.
Instead of using traditional phishing links, the attacker embedded malicious URLs inside QR codes stored in BMP image attachments. This small shift allowed the campaign to completely bypass conventional email security mechanisms.
Let’s break down how it worked, why it succeeded, and what defenders should learn from it.
Understanding the “Quishing” Blind Spot
QR code phishing—often called quishing—isn’t new. But attackers are now refining it faster than defenses are evolving. Most email security systems, including tools like Microsoft Defender for Office 365, are designed to analyze text-based threats. They scan links in email bodies, inspect HTML, and detonate URLs in controlled environments.
But here’s the gap: If the malicious link is hidden inside an image, these systems simply don’t see it.
In this campaign, the phishing URL was never written anywhere in text form. Instead, it was encoded inside a QR code image attached to the email. That meant:
- No visible link to scan
- No suspicious HTML
- No trigger for traditional filters
The real attack only began when a user scanned the QR code—usually on a mobile device.
And that’s where another weakness appears.
Most corporate security controls don’t extend fully to personal or even managed mobile devices. No proxy inspection, limited endpoint monitoring, and weaker URL filtering make mobile execution an ideal attack surface.
Campaign Overview
This was not a one-off attempt. It was part of a much larger operation.
| Attribute | Details |
|---|---|
| Attacker Alias | Baron Lester |
| covid_info@iconicdecipher[.]com | |
| Domain | iconicdecipher[.]com |
| Technique | QR Code Phishing (T1566.001) |
| Theme | COVID-19 / RSV research |
| Duration | Feb 26 – Mar 18, 2026 |
| Emails Sent | 33 |
| Unique Recipients | 32 |
| Delivered to Inbox | 28 |
| Blocked | 0 |
What stands out is simple: every defensive layer failed silently.
Timeline of the Attack
The campaign unfolded in three distinct waves:
- Wave 1 (Feb 26)
Small batch of emails—likely testing delivery and engagement - Wave 2 (Mar 17)
Larger, automated burst over ~90 minutes - Wave 3 (Mar 18)
A single targeted follow-up email
The 19-day gap between the first two waves is important. During this time, the attacker was actively targeting other organizations. Tracking data shows over 1.6 million emails sent elsewhere.
This wasn’t targeted espionage—it was industrial-scale phishing.
How the Attack Worked
The attack chain was clean, deliberate, and effective:
- The attacker sent emails with personalized tracking IDs
- Each email included a BMP attachment containing a QR code
- The QR code encoded a phishing URL
- Email passed SPF, DKIM, and DMARC checks
- Security tools assigned a low-risk score (SCL 1)
- Email landed directly in the inbox
- User scanned QR code using mobile device
- Device opened attacker-controlled phishing page
No suspicious links. No warnings. No alerts.
Why Authentication Didn’t Help
A common misconception is that phishing bypasses authentication. That’s not what happened here.
The attacker configured their domain correctly:
| Control | Result |
|---|---|
| SPF | Passed |
| DKIM | Passed |
| DMARC | Passed (policy = none) |
Because everything looked legitimate, the email system trusted the sender.
This highlights an important reality: Authentication verifies identity—not intent.
Advanced Evasion Techniques
1. Unique QR Codes Per Victim
Every recipient received a different QR code image with a unique SHA256 hash.
This had two major advantages:
- Prevented hash-based detection
- Enabled precise tracking of each victim
2. Tracking IDs
Each URL included a unique identifier:
https://iconicdecipher[.]com/c19_idea/<PDF>.pdf?pdf=<TRACKING_ID>_sd
This allowed the attacker to monitor engagement at scale.
3. Mobile Execution
By shifting interaction to mobile devices, the attacker avoided:
- Endpoint detection tools
- Network monitoring
- Corporate proxies
Infrastructure Details
| Component | Value |
|---|---|
| Mail Relay | server182.web-hosting[.]com |
| Relay IP | 198.54.115[.]2 |
| Attacker IP | 71.105[.]63.133 |
The attacker used shared hosting and residential internet—common tactics to blend in.
Reconnaissance via Auto-Replies
One subtle but important detail: auto-replies were used for intelligence gathering.
When a recipient had an out-of-office message enabled, the attacker received confirmation that:
- The email was delivered
- The mailbox was active
- A real person was associated with it
This transforms a generic phishing list into a high-value target list.
Targeting Strategy
A pattern emerged:
- Wave 1 included a manager
- Wave 2 targeted that manager’s team
This suggests organizational mapping, likely using:
- Public directories
- Email responses
The attacker wasn’t just sending emails—they were learning the structure of the organization.
MITRE ATT&CK Mapping
| Technique | Description |
|---|---|
| T1566.001 | Spearphishing attachment |
| T1566.002 | Spearphishing link |
| T1036 | Masquerading |
| T1204.001 | User execution |
| T1598 | Phishing for information |
Indicators of Compromise (IOCs)
These remain active and actionable:
- Domain:
iconicdecipher[.]com - Email:
covid_info@iconicdecipher[.]com - IP:
71.105.63[.]133 - Relay IP:
198.54.115[.]2 - URL Pattern:
iconicdecipher[.]com/c19_idea/*.pdf?pdf=*_sd
Important: Hash-based detection is ineffective due to per-recipient file uniqueness.
What Security Teams Should Do
Immediate priorities:
- Block domain and IPs at all layers
- Remove delivered emails using search-and-purge
- Identify impacted users
- Investigate mobile device exposure
- Review auto-reply configurations
Long-term improvements:
- Enable QR code scanning in email security tools
- Strengthen mobile device protections
- Restrict external auto-replies
- Train users to treat QR codes like links
Our Analysis and Opinion
This campaign is a clear example of how attackers are evolving faster than traditional defenses. What stands out is not technical sophistication, but strategic simplicity. The attacker did not rely on zero-day vulnerabilities or advanced malware. Instead, they exploited predictable gaps in how organizations design and deploy security controls.
Most email security systems are heavily optimized for detecting text-based threats. This creates a structural weakness when attackers shift payload delivery into formats that are not routinely inspected, such as images. The use of QR codes is particularly effective because it naturally forces interaction onto mobile devices, which are often less monitored and inconsistently protected compared to corporate endpoints.
Another key observation is the deliberate use of legitimacy. By properly configuring SPF, DKIM, and DMARC, the attacker ensured that the emails appeared trustworthy at a protocol level. This reflects a growing trend where attackers do not try to evade authentication—they comply with it. As a result, defenders can no longer treat authentication success as a meaningful trust signal on its own.
The campaign also demonstrates a strong operational mindset. The use of unique tracking IDs and per-recipient QR codes indicates that the attacker was not just sending emails blindly, but actively measuring engagement and refining targeting. The ability to correlate auto-replies and organizational structure further suggests that this was part of a broader intelligence-gathering effort, not just opportunistic phishing.
From a defensive standpoint, this case highlights the limitations of isolated controls. Email security, endpoint protection, and mobile security are often treated as separate domains, but attacks like this move seamlessly across them. Without visibility that connects these layers, organizations are left with fragmented insights that fail to reveal the full scope of an incident.
In our view, the most important takeaway is that detection must evolve beyond static analysis. Security teams need capabilities that can interpret context, decode embedded content, and correlate signals across multiple systems. This includes the ability to inspect images, analyze user behavior, and monitor activity beyond traditional endpoints.
Ultimately, this campaign reinforces a simple but critical point: attackers succeed not by breaking defenses, but by working around them. Organizations that continue to rely on legacy detection models without adapting to these shifts will remain exposed to similar threats.
