Microsoft Warns of Surging QR-Code Phishing After Exchange Anti-Phishing Failure
Microsoft said attackers are increasingly using QR-code phishing to steal credentials, with the company analyzing 8.3 billion email-based phishing threats in Q1 2026 and recording a 146% increase in quishing activity. Researchers said more than 35,000 users across roughly 13,000 organizations were targeted through emails, PDFs, and fake CAPTCHA pages carrying malicious QR codes that redirected victims through multiple sites to counterfeit login portals. Microsoft also reported a 336% surge in QR codes embedded directly in emails in March, alongside continued business email compromise lures and phishing kits such as Tycoon2FA, which it disrupted with Europol before operators began rebuilding infrastructure and shifting toward .RU domains.
The warning follows a separate Microsoft 365 security incident in which faulty heuristic anti-phishing rules in Exchange Online and Teams wrongly flagged legitimate content as malicious. The incident, tracked as EX1227432, caused valid emails to be quarantined, links to be blocked, Zero-hour Auto Purge (ZAP) actions to trigger incorrectly, and false Microsoft XDR alerts to be sent after a logic error misclassified legitimate URLs as phishing links. Microsoft said the outage was prolonged by bugs in related signature and rollback systems, underscoring how both attacker evasion and defensive misfires can disrupt cloud email security and credential protection efforts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft warns quishing campaigns targeted 35,000 users at 13,000 organizations
Microsoft researchers said rising quishing campaigns had targeted more than 35,000 users across about 13,000 organizations worldwide. The attacks used malicious QR codes in emails, PDFs, and fake CAPTCHA pages to redirect victims through multiple webpages to credential-harvesting portals.
Microsoft reports sharp rise in QR-code phishing in Q1 2026
By Q1 2026, Microsoft had analyzed more than 8.3 billion email-based phishing threats and reported a 146% increase in QR-code phishing, including a 336% surge in QR codes embedded directly in emails in March. The company also detected 10.7 million phishing threats targeting business emails and warned that attackers were increasingly using QR codes, CAPTCHA pages, and BEC lures to evade defenses.
Microsoft and Europol disrupt Tycoon2FA phishing-as-a-service
In March 2026, Microsoft and Europol disrupted the Tycoon2FA phishing-as-a-service operation. Microsoft said this contributed to a 15% decline in attacks using Tycoon2FA methods, though the group was observed rehosting infrastructure and increasingly using .RU domains afterward.
Microsoft fully resolves EX1227432 after rollback delays
Microsoft said the Exchange Online incident was fully resolved on 2026-02-12 after additional bugs in related security tooling and signature rollback mechanisms prolonged the disruption. The outage lasted nearly a week and had noticeable user impact across email and Teams communications.
Exchange Online anti-phishing logic error begins causing false positives
On 2026-02-05, a Microsoft Exchange Online incident tracked as EX1227432 began when faulty heuristic phishing-detection rules incorrectly classified legitimate URLs as phishing. The issue caused legitimate emails and Teams messages to be quarantined, links to be blocked, and false Microsoft XDR alerts to be generated.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Microsoft Warns Users About Rising QR Code Phishing and Quishing Scams - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceQR code phishing surges 146% as Microsoft detects and analyzes 8.3 billion phishing threats in Q1 2026 - attackers are changing tactics to bypass security | TechRadar
techradar.com
Open sourceMicrosoft: Anti-phishing rules mistakenly blocked emails, Teams messages
linkedin.com
Open sourceSSO Blast Radius: Exfiltrating Data via Email | Ranjan S. posted on the topic | LinkedIn
linkedin.com
Open sourceMajor Energy Company Targeted in Large QR Code Phishing Campaign
cofense.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft phishing campaign stole auth tokens from 35,000 users
Microsoft disclosed a large-scale phishing campaign that targeted more than **35,000 users** at over **13,000 organizations** across **26 countries**, with most victims in the United States and concentrations in healthcare, life sciences, financial services, professional services, and technology. The operation used code-of-conduct and compliance-themed emails delivered through legitimate email services, including abuse of platforms such as Amazon SES, to make messages appear trustworthy and help them pass common email authentication checks. Victims received PDF attachments containing links that led through fake CAPTCHA and document-review pages before landing on spoofed Microsoft sign-in portals. Microsoft said the attackers used an **adversary-in-the-middle** phishing flow to capture credentials and authentication tokens in real time, allowing them to bypass weak multifactor authentication and gain immediate account access. The company described the activity as one of the most sophisticated code-of-conduct-themed credential theft campaigns it has observed and said it reflects broader trends including CAPTCHA-gated phishing, QR-code phishing, and phishing-as-a-service ecosystems such as **Tycoon 2FA**, **Kratos**, and **EvilTokens**. Microsoft urged organizations to strengthen defenses with Defender for Office 365, SmartScreen-enabled browsers, phishing awareness training, stronger authentication, conditional access policies, and automated attack disruption in Defender XDR.
May 5, 2026
Microsoft 365 Disruptions: Exchange Online False-Positive Phishing Blocks and Microsoft Teams Service Degradation
Microsoft reported a Microsoft 365 security-service failure in which **Exchange Online** anti-phishing heuristics incorrectly classified thousands of legitimate URLs as credential-phishing, leading to quarantined emails, blocked link access, and removal of messages via automated actions (including ZAP) across **email and Microsoft Teams**. The incident (tracked as `EX1227432`) ran from Feb 5 to Feb 12 and generated false XDR-style alerts such as “potentially malicious URL click was detected”; Microsoft attributed the impact to a **logic error** in newly updated heuristic detection, with additional tooling and a separate signature-system bug compounding and delaying rollback. Separately, Microsoft also worked an active **Microsoft Teams** outage/service degradation (tracked as `TM1233974`) affecting some users in the **United States and Europe**, with delays/failures sending and receiving chats that include inline media and issues joining meetings or signing in. A third item—abuse of **Atlassian Jira Cloud** notification emails to deliver localized scam lures and redirect victims to casino/investment fraud—describes a distinct threat campaign unrelated to the Microsoft 365 incidents and should be treated as a separate story.
Mar 21, 2026
Quantum Route Redirect Phishing Platform Targets Microsoft 365 Users
A new phishing-as-a-service (PhaaS) platform called **Quantum Route Redirect** has emerged, enabling cybercriminals to launch sophisticated credential harvesting campaigns against Microsoft 365 users worldwide. The platform dramatically lowers the technical barrier for attackers by providing a pre-configured phishing kit and a network of around 1,000 domains, allowing even less skilled threat actors to conduct large-scale phishing operations with minimal effort. Attackers use a variety of email lures, including DocuSign impersonations, payroll notifications, payment alerts, and missed voicemail messages, to direct victims to credential harvesting pages managed by the Quantum Route Redirect system. The phishing kit automates the entire attack chain, from rerouting traffic to malicious domains to filtering out automated security tools using built-in bot detection. URLs used in these campaigns follow a consistent pattern and are often hosted on parked or compromised legitimate domains, increasing the likelihood of bypassing security controls and deceiving targets. The majority of observed attacks have targeted users in the United States, but incidents have been recorded in over 90 countries. The platform's dashboard provides real-time statistics to operators, further streamlining the management and effectiveness of global phishing campaigns.
Mar 21, 2026