This phishing campaign leverages a sophisticated evasion technique by embedding QR codes directly within HTML emails using tables composed of black and white cells instead of traditional image files. This method circumvents many existing security solutions that detect malicious QR codes by scanning image attachments or embedded images in emails. The QR codes generated through HTML tables visually appear as legitimate QR codes but are constructed from HTML elements, making automated detection challenging. The URLs encoded in these QR codes point to subdomains of the domain lidoustoo.click, with personalized URL paths incorporating recipient email addresses, increasing the likelihood of successful phishing by appearing targeted. The campaign samples were observed between December 22 and December 26, 2025, and continued into early January 2026. The phishing pages likely attempt credential harvesting or other forms of social engineering. Although the technique of HTML table QR code rendering has been known in security research, its deployment in active phishing campaigns demonstrates attackers' adaptability to bypass security controls. This attack vector exploits the socio-technical aspect of phishing, relying on user scanning of QR codes, which may be perceived as more trustworthy or novel compared to clickable links. The campaign highlights limitations in current email security tools and the necessity for enhanced detection capabilities that analyze HTML content beyond images. No direct malware or exploit payloads are reported, and no known widespread exploitation is documented. However, the campaign's ability to evade detection increases its potential reach and effectiveness.

For European organizations, this phishing campaign poses a significant risk primarily through credential theft and potential subsequent unauthorized access to corporate resources. The use of QR codes may lower user suspicion, increasing click-through and compromise rates. Since QR codes can be scanned by mobile devices, this attack vector extends beyond traditional desktop email security controls, potentially bypassing endpoint protections. The personalized URLs increase the likelihood of successful phishing by targeting specific users. Compromise could lead to data breaches, financial fraud, or lateral movement within networks. The campaign's evasion of image-based QR code detection tools means that many existing email security gateways may fail to flag these messages, increasing exposure. Given the widespread use of QR codes in Europe for payments, authentication, and information sharing, users may be more inclined to trust QR codes, exacerbating the threat. The socio-technical nature means user education is critical, as technical controls alone are insufficient. The medium severity reflects moderate impact potential but requires user interaction and some sophistication to exploit.

1. Update and configure email security gateways and anti-phishing tools to analyze HTML content for QR codes rendered via tables or CSS, not just images. 2. Employ advanced content inspection that can reconstruct and decode QR codes from HTML elements to detect malicious payloads. 3. Enhance user awareness training specifically about the risks of scanning QR codes received via email, emphasizing verification of sources before scanning. 4. Implement multi-factor authentication (MFA) across critical systems to reduce the impact of credential compromise. 5. Monitor network traffic for connections to suspicious domains such as lidoustoo.click and its subdomains, and block or alert on such traffic. 6. Encourage users to report suspicious emails containing QR codes to security teams for analysis. 7. Use URL rewriting and sandboxing technologies in email gateways to analyze destination sites before allowing user access. 8. Regularly update threat intelligence feeds and detection signatures to include emerging phishing techniques involving HTML-rendered QR codes. 9. Conduct phishing simulation exercises incorporating QR code-based phishing to improve user resilience. 10. Coordinate with mobile device management (MDM) solutions to monitor and control QR code scanning applications and behaviors.