Threats

Hackers Use Imageless QR Codes for HTML Table Phishing

A novel phishing campaign has emerged, leveraging QR codes in an innovative way. Attackers are transforming simple HTML tables into functional QR representations, subsequently redirecting...

Marcus Rodriguez
Marcus Rodriguez
January 7, 2026 2 Min Read
45 0

A novel phishing campaign has emerged, leveraging QR codes in an innovative way. Attackers are transforming simple HTML tables into functional QR representations, subsequently redirecting unsuspecting users to malicious websites.

Instead of embedding a QR image in the email body, the attackers build the code from hundreds of tiny table cells, each styled as black or white.

The result still scans like a normal QR code, but many email defenses fail to treat it as an image.

The messages, seen between December 22 and December 26, follow a minimal design: a short lure text and a single “squished” QR code block that urges the victim to scan it.

Each QR code redirects to subdomains of lidoustoo[.]click, often using the recipient’s own domain name in the URL path to look more convincing, such as hxxps[:]///. This structure helps the link appear less suspicious at a glance.

Internet Storm Center researchers noted that the QR itself is rendered purely through HTML, using a table made of 4×4 pixel cells with black and white background colors.

Malicious Imageless QR Code (Source - Internet Storm Center)
Malicious Imageless QR Code (Source – Internet Storm Center)

This approach bypasses many QR inspection engines, which are tuned to scan actual image attachments or inline image data. The email HTML, however, looks like harmless layout markup to simple content filters.

In one captured sample, the QR is created using code similar to the snippet below, which defines a dense matrix of cells to encode the pattern:

<table role="presentation" border="0" cellpadding="0" cellspacing="0">
  <tr height="4">
    <td width="4" height="4" bgcolor="#000000"></td>
    <td width="4" height="4" bgcolor="#FFFFFF"></td>
    <td width="4" height="4" bgcolor="#000000"></td>
    <!-- many more cells forming the QR pattern -->
  </tr>
</table>

Detection Evasion Through HTML Table-Based QR Codes

This imageless QR technique exploits a blind spot in many secure email gateways.

Tools that can decode QR images do not always inspect HTML tables as potential graphical structures, so the malicious pattern slips past QR-focused checks.

At the same time, content filters see only standard tags and color attributes, not obvious phishing keywords or image hashes.

For defenders, the campaign is a reminder that protections cannot rely only on how threats “usually” look. Secure email filters must treat dense table grids as possible QR renderings, apply DOM-aware analysis, and flag unusual external redirects.

In parallel, users should be trained that scanning QR codes from unsolicited emails is as risky as clicking unknown links, even when the code looks simple and clean.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerphishingThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts