The FBI has issued an advisory about North Korean state-sponsored threat actors, notably the Kimsuky group (also known as APT43 and other aliases), employing malicious QR codes in spear-phishing campaigns since 2025. This attack vector, termed 'quishing,' involves embedding QR codes in spear-phishing emails that direct victims to malicious infrastructure controlled by the attackers. Victims scanning these QR codes are redirected to phishing sites designed to harvest credentials, such as Google account logins, or to download malware like the Android variant DocSwap. The tactic exploits the security gap created when users move from enterprise-managed devices to personal or unmanaged mobile devices, which often lack robust endpoint detection and response (EDR) capabilities. Kimsuky has a history of exploiting email authentication weaknesses, including misconfigured DMARC policies, to spoof legitimate domains and increase the credibility of their phishing emails. The FBI observed multiple campaigns targeting think tanks, academic institutions, and government entities, including spoofing foreign advisors, embassy employees, and internal staff to solicit sensitive information or access. The attacks frequently culminate in session token theft and replay attacks, allowing adversaries to bypass MFA protections and hijack cloud identities without triggering typical security alerts. Once inside, attackers establish persistence and use compromised mailboxes to launch secondary spear-phishing campaigns, further expanding their foothold. This threat is notable for its MFA resilience and the use of mobile devices as an attack vector, which complicates detection and response efforts in enterprise environments.

For European organizations, particularly those in government, academia, and policy research sectors, this threat poses significant risks to confidentiality, integrity, and availability of sensitive information. The use of malicious QR codes circumvents traditional email security and endpoint protections by exploiting mobile devices, which are often less controlled in enterprise environments. Successful exploitation can lead to credential theft, including cloud identity compromise, enabling attackers to bypass MFA and gain persistent access to critical systems. This can result in unauthorized data exfiltration, espionage, disruption of operations, and the potential for secondary attacks launched from compromised accounts. The strategic targeting of think tanks and government entities aligns with geopolitical interests, increasing the likelihood of espionage and influence operations affecting European policy and security. The stealthy nature of these attacks, combined with their MFA bypass capability, makes detection difficult and remediation complex, potentially leading to prolonged breaches and significant operational impact.

European organizations should implement multi-layered defenses specifically tailored to counter quishing attacks. This includes: 1) Enhancing user awareness training focused on the risks of scanning QR codes from unsolicited or unexpected emails, emphasizing verification of QR code sources before scanning. 2) Deploying mobile device management (MDM) solutions to enforce security policies on mobile devices, including restricting installation of untrusted applications and enabling endpoint detection capabilities on mobile platforms. 3) Implementing advanced email security solutions that analyze embedded QR codes and URLs for malicious content before delivery. 4) Enforcing strict DMARC, DKIM, and SPF configurations to reduce email spoofing and improve domain authentication. 5) Utilizing conditional access policies and continuous risk-based authentication to detect anomalous access patterns, especially from mobile devices. 6) Monitoring for session token anomalies and implementing token binding or short-lived tokens to reduce replay attack risks. 7) Establishing incident response playbooks that include rapid containment of compromised mailboxes and forensic analysis of secondary spear-phishing activities. 8) Encouraging the use of hardware-based MFA tokens that are less susceptible to session token theft. 9) Collaborating with threat intelligence sharing platforms to stay updated on emerging Kimsuky tactics and indicators of compromise. These measures go beyond generic phishing advice by addressing the unique challenges posed by quishing and mobile device exploitation.