Hello and welcome to the Thursday, January 8th, 2026 edition of the Sands

and then at Storm Center's Stormcast. My name is Johannes Ulrich, recording today from

Jacksonville, Florida. And this episode is brought you by the Sands.edu graduate certificate program in incident response.

Today we got another fishing diary from Jan.

Jan is writing about actually a set of emails that I've seen coming into our internal handler's alias over the holidays.

At first I was a little bit worried of attackers

kind of trying some new tricks over the holidays, maybe trying to outrun some of the defenders

here, because of course during the holidays, many of them may have taken the day off and

people also are less likely to make like big updates to their infrastructure over holidays.

Well, the small but significant change here was that QR codes in these emails were actually encoded as an HTML table.

So yeah, looks like a QR code, it may be a little bit squished, but of course,

QR codes are designed to be a rather resilient to like distortions and such like that,

because after all, it's the same as pointing your phone on a QR code from likely a little bit

an odd angle. That's sort of why they work, even if they aren't really perfect.

And a lot of email protection solutions have started looking at QR codes in order to filter

out some of these sort of out-of-band attacks where victims are being tricked to then use

their local phone to complete the fishing attack, which of course then isn't caught often by Enterprise Security Solutions.

So that's the latest trick here.

And of course, now I hope that some of the Fender, some of the anti-fishing solutions will add this to their

repertoire and, well, let's see what attackers are coming up next. And if you are into

fishing and please include us in your fishing mailing list, so that way we also get copies of whatever

you're trying next. And over the last couple days, there were actually, I think, a total of four critical

...