QR-code phishing — "quishing" — more than doubled in Q1 2026 according to Microsoft Threat Intelligence. The mechanics are simple and ugly: a payment-looking email arrives with a QR code in the body. The user pulls out their personal phone, scans, and lands on a credential-harvesting page. The email security stack never sees the malicious URL — because it's encoded in an image, opened on a device that isn't managed.
The defence isn't a smarter filter. It's awareness combined with policy: brief the team on quishing specifically, enforce Conditional Access policies that won't accept logins from unmanaged phones, and require modern auth methods (passkeys, phishing-resistant FIDO2) that don't fall to a typed password on a fake page.
Defender for O365 helps with the email side. Intune helps with the device side. Both together close the loop. Neither one alone is enough.