According to Infosecurity Magazine, the FBI issued a Flash report warning about ongoing North Korean phishing campaigns that use QR codes to bypass email security. The alert, issued in 2025, states the prolific Kimsuky APT group is targeting think tanks, academic institutions, and U.S. and foreign government entities. The tactic, called “quishing,” redirects victims to mobile devices to evade desktop security and delivers credential-harvesting pages impersonating Microsoft 365, Okta, or VPN portals. The FBI warns these attacks often end with session token theft to bypass multi-factor authentication and hijack cloud identities. Once inside, adversaries establish persistence and launch further spearphishing from the compromised account. This comes as North Korean threat actors, who stole over $2 billion in crypto last year according to Chainalysis, continue to refine their cyber-espionage and financial theft operations.
Why Quishing Is So Sneaky
Here’s the thing about this QR code trick: it’s brutally effective because it exploits a gap in our security mindset. Your corporate email gateway is probably pretty good at scanning links in emails, right? It can rewrite them, sandbox them, block them. But a static image of a QR code? That’s just a picture. There’s no malicious URL for the scanner to catch. So the email gets through. And then the target, maybe out of habit or curiosity, scans it with their phone. Boom. You’ve just moved the attack from a managed corporate laptop to an unmanaged personal device. That’s a whole different security perimeter, often with far fewer protections. The FBI isn’t exaggerating when they call this an “MFA-resilient identity intrusion vector.” Stealing a session token after a login is a killer move that makes all those two-factor prompts useless.
The Bigger Picture on North Korean Hacks
Look, this isn’t some random criminal gang. This is state-sponsored activity with two very clear missions: spy and steal. The Kimsuky group is well-known for intelligence gathering, so hitting think tanks and government entities makes perfect sense. But that $2 billion crypto theft figure from 2024? That shows the other, equally important side of the coin. These groups are funding a regime. So the campaigns are dual-purpose: steal secrets to gain strategic advantage, and steal money to fund the operation (and the state). It’s a relentless, well-resourced machine. When you see an alert like this from the FBI, it’s because the tactic is working and they’re seeing real compromises. This isn’t theoretical.
What Can Organizations Do?
So what’s the defense? The FBI recommends a multi-layered approach, and they’re right. You can’t just rely on one tool. First, user training needs to evolve. “Don’t click strange links” now has to become “Don’t scan strange QR codes in emails, especially from unknown senders.” That’s a new behavior to instill. Technically, email security solutions need to get better at detecting and blocking these QR code attachments. And maybe it’s time to look at mobile threat defense solutions for corporate data access. Basically, you have to assume the attack chain will jump from your managed network to an unmanaged device, and figure out how to protect the data at that point. It’s a tough ask, but the alternative is letting attackers walk right in because you trusted a little square barcode.
