QR codes were built for convenience… and that’s exactly why attackers love them. In this episode of CISO Unscripted, Mitch Mayne (Unit 42) sits down with Diva Oriane Marty, Senior Web Security Researcher at Palo Alto Networks, to unpack what Unit 42 is seeing in the wild—including 11,000+ malicious QR codes every day.
This isn’t just “scan a code, land on a phishing page” anymore. Diva breaks down how modern QR attacks use in-app deep links to bypass the browser entirely, trigger actions inside trusted apps, and exploit the reality that most scans happen on personal mobile devices—outside typical enterprise visibility. We also dig into a particularly nasty scenario: a user scans a QR code on their phone, unknowingly adds a malicious calendar invite, then later opens it on a corporate laptop… creating a clean path into corporate systems.
From direct APK downloads that sidestep app store protections to highly targeted campaigns, this conversation is packed with practical takeaways for security leaders who want real guardrails—not just “be careful” training.
Timecodes:
00:00 How a personal-phone QR scan can become a corporate compromise path
00:37 Welcome to CISO Unscripted + why this discussion is grounded in Unit 42 investigations
01:03 Why QR codes are so attractive to attackers (and what happens after the scan)
01:16 The scale: Unit 42 seeing 11,000+ malicious QR codes per day
01:26 Beyond phishing: QR-triggered logins, payments, and software downloads
02:17 Meet Diva Oriane Marty (Senior Web Security Researcher, Palo Alto Networks)
02:44 Moving beyond the web link: what “in-app deep links” are
03:19 Deep links explained (and how they reduce friction for attackers)
04:12 The enterprise blind spot: why personal devices are the soft underbelly
04:41 Calendar/contacts manipulation: how QR codes can quietly set up the next-stage attack
05:31 “That’s creepy”: How easy your calendar can be compromised with a “Zoom meeting” invite
06:07 QR codes distributing direct APK downloads (and why that bypasses app store safety)
06:41 What an APK is and why “don’t do that” isn’t a sufficient control strategy
07:12 Practical guardrails: scanning/analyzing QR codes on web pages to block malicious hosting
07:51 The human problem: cyber hygiene vs. reality (people still scan)
08:22 How mobile OS flows can nudge users into installing risky downloads
09:03 The geopolitical angle: targeted campaigns and messaging-app takeovers
09:35 Signal-focused attacks in the Russia–Ukraine context (what the research found)
10:02 References to reporting from CERT-UA and Google Threat Intelligence Group
10:23 The real trend: compromising messenger/social media accounts (criminal and state-aligned)
10:48 Where to find the full report + closing thoughts
