Write Hatem Mohamed

QR codes embedded in emails have long been a tool for phishing and scams, and back in the second half of 2025 there was a fivefold surge in QR phishing attacks detected by Kaspersky. Now Kaspersky researchers have identified a new phishing tactic in which attackers construct QR codes using text characters rather than traditional images. This method allows such malicious QR codes to bypass many email security solutions that rely on image scanning or link detection.

*Malicious QR Codes Built From Text Characters* 
A malicious QR code put together with strings of text characters. Early computers were incapable of rendering true graphics, and images on them were composed entirely of text characters. Historically this was done with symbols from the ASCII (American Standard Code for Information Interchange) character set, introduced in 1963. Images created using this technique were called ASCII graphics. Later other character sets like Unicode were also utilized to create images, but the term ASCII graphics remained.

*ASCII Graphics Return to Evade Detection* 
An example of ASCII graphics. In the 2000s, spam senders already used images built from text symbols. By using text-based graphics instead of embedded images, attackers tried to avoid detection mechanisms that analyze pictures for hidden URLs. With ASCII graphics used to create QR codes, the phishing scheme follows a familiar pattern as with QR codes in images which Kaspersky described earlier.

*Fake DocuSign Emails Target Corporate Credentials* 
Victims receive an email allegedly coming from a business partner, claiming to include a confidential document for signature via DocuSign. The message instructs the recipient to scan a QR code to access the document, leading to a fake website where corporate credentials are requested. With the QR code laid out in text characters, many protective solutions would fail to identify any suspicious links.

*Kaspersky Expert Flags Credential Requests as Red Flag* 
“We have previously seen phishers try to avoid link scanning by hiding URLs in images. Now they are attempting to evade image-based scanning by returning to text – this time to render a QR code. Any instance where a QR code prompts someone to enter corporate credentials on a mobile device should raise immediate suspicion. When the QR code is formed using textual ASCII art, it is almost certainly a phishing attempt or a lure to a malicious URL. This trick has only one purpose: bypassing security technologies,” comments Roman Dedenok, Anti-Spam Expert at Kaspersky.

*Recommended Defense Measures* 
To defend against this threat, Kaspersky recommends deploying a proven mail server security solution such as Kaspersky Security for Mail Server that provides secure corporate email exchange, countering spam, email-borne infections, all forms of phishing, business email compromise BEC, QR code attacks, and other threats.