Cybercriminals are using two previously undocumented techniques to help malicious QR codes evade email security systems, according to research published by Barracuda Networks.

The techniques, detailed in a new threat report, involve either splitting a malicious QR code across two separate images or nesting a malicious code around a legitimate one. Security researchers observed both methods being deployed by phishing-as-a-service operations known as Tycoon and Gabagool.

In split QR code attacks, criminals divide a single malicious code into two images placed close together in phishing emails. While recipients see what appears to be a single QR code, traditional email security scanners identify two separate, seemingly benign images rather than recognising the complete malicious code.

The nested technique involves wrapping a malicious QR code around a legitimate one, with the outer code directing users to phishing sites while the inner code leads to legitimate destinations like Google. This creates ambiguous scan results that may confuse automated detection systems.

Barracuda's threat analysis team documented these techniques in attacks targeting Microsoft password reset credentials, though the company has not disclosed the scale of campaigns or number of victims affected.

"Malicious QR codes are popular with attackers because they look legitimate and can bypass traditional security measures such as email filters and link scanners," said Saravan Mohankumar, manager of Barracuda's threat analysis team.

The evolution comes as QR code usage has surged across Australian and New Zealand organisations since the COVID-19 pandemic, particularly for contactless interactions and digital workflows. However, QR codes present unique security challenges as they often direct users to scan with mobile devices that may operate outside corporate security perimeters.

For IT managers overseeing email security, the techniques highlight ongoing challenges in detecting image-based threats. Traditional content filtering may struggle to identify split or nested codes without sophisticated analysis capabilities.

The Australian Cyber Security Centre has previously warned organisations about QR code phishing, known as "quishing," noting that mobile scanning can bypass corporate web filtering and endpoint protection.

Security experts recommend organisations implement multi-layered email protection and maintain security awareness training focused on QR code risks. The techniques also underscore the importance of mobile device management policies that extend security controls to personal devices used for business purposes.