# Microsoft Teams QR Code Scam: How Attackers Exploit Enterprise Trust > Microsoft Teams has 320 million monthly active users, making it one of the most impersonated platforms in enterprise QR phishing campaigns. Here's how each attack variant works, how to spot a fake, and exactly what to do if you already scanned. URL: https://www.qrsafer.com/blog/microsoft-teams-qr-code-scam Published: 2026-06-14 --- A notification arrives in your inbox. Microsoft Teams branding, your company logo, an urgent subject line: *Action required — verify your account before your next Teams meeting.* At the bottom of the email is a QR code. This is a **Microsoft Teams QR code scam** — and it is engineered to exploit the two things that make enterprise phishing so dangerous: the trust employees place in internal communication tools, and the security blind spot that QR codes create inside corporate email gateways. Microsoft Teams has 320 million monthly active users across organizations of every size. That scale makes it one of the highest-value impersonation targets in the world. Here is how attackers use it. ## Why attackers use QR codes in enterprise phishing Standard corporate email security — URL filtering, link rewriting, sandboxing — is designed to intercept clickable hyperlinks. A QR code is an image, not a link. Security scanners that routinely flag a phishing URL embedded in an email will pass the same URL embedded in a QR code without inspection. This is not a theoretical gap. Microsoft itself documented QR-based phishing (sometimes called "quishing") in enterprise security advisories, specifically in the context of Microsoft 365 credential harvesting. Understanding [what quishing is](/blog/what-is-quishing) helps explain why this attack vector has grown so rapidly inside corporate environments. ## Attack variant 1: Fake "Teams notification" email with a QR code This is the most common enterprise variant. You receive an email with Microsoft Teams branding — the correct logo, font, and color scheme — and a message that a colleague has shared a file with you, that your access to a shared channel has changed, or that your account requires verification. A QR code is included to "review the file" or "confirm your identity." Scanning the code opens a page that mirrors the Microsoft 365 login screen with high fidelity: the same layout, the "Sign in to your account" prompt, even the pre-filled email address field. When you enter your password, it is captured by the attacker. If your organization uses Azure Active Directory or any SSO provider — Okta, Ping, Google Workspace — the phishing page often mirrors that provider's login screen instead, capturing OAuth tokens that may grant access to dozens of connected systems. **The rule:** Microsoft Teams never requires you to scan a QR code to review a shared file, verify your account, or restore access to a channel. Shared files appear as clickable links inside the Teams app — not QR codes in emails. ## Attack variant 2: QR code in a Teams direct message from a compromised account This variant is more dangerous because it comes from inside the organization. An attacker compromises one employee's Microsoft 365 account — often through a separate phishing attack or a credential leak — and uses that account to send internal Teams messages. Colleagues receive a DM from what looks like a trusted coworker or manager: - "Hey, can you scan this? It's the new MFA setup our IT team sent out." - "Secure file share for the project — they changed the access method." - "Join the new compliance channel through this code." Because the message comes from a known account and arrives through Teams rather than email, recipients are significantly more likely to scan without scrutiny. The QR code leads to a credential-harvesting page. The attacker now has a second account, which they use to reach further into the organization. If you receive an unexpected QR code in a Teams message — even from someone you know — verify it through a separate channel before scanning. ## Attack variant 3: Fake IT department MFA enrollment QR codes This variant is specifically tailored to organizational contexts where IT pushes MFA enrollment. Attackers send emails or, in some cases, place printed notices in common office areas claiming to be from the company's IT or security team: "Your Microsoft authenticator app requires re-enrollment. Scan the QR code below to complete the process." The timing often coincides with real organizational events — a known security initiative, a merger, a policy change — to increase plausibility. The QR code links to a page that either harvests Microsoft 365 credentials directly or intercepts the MFA enrollment flow to register the attacker's authenticator device instead of the employee's. The victim believes they completed a legitimate security task. In reality, the attacker now controls MFA for that account. **Real MFA enrollment** through Microsoft is done inside the Microsoft Authenticator app, at aka.ms/mfasetup, or through a link provided directly inside the Microsoft 365 admin portal — not through a QR code in an unsolicited email or a printed flyer. ## Attack variant 4: Fake "Teams update required" QR code The fourth variant targets the device rather than the credentials. An email or Teams notification announces a mandatory Teams desktop or mobile update. The update is not available through the normal app store — you need to scan a QR code to download it directly. The code links to a trojanized installer that installs malware alongside a convincing, functional Teams app. This approach also appears on printed materials in shared spaces — office lobbies, conference rooms, cafeterias — where an "IT Update Required" notice with a QR code can be left without raising immediate suspicion. Microsoft Teams updates are delivered automatically through the Teams desktop client or through your organization's device management system (Microsoft Intune, JAMF, or similar). If an update requires manual installation via QR code, it is not a real Microsoft Teams update. ## What to do if you scanned a Teams QR code **If you entered your Microsoft password:** 1. Go to account.microsoft.com and change your password immediately. 2. Go to mysignins.microsoft.com → Active Sessions and sign out of all sessions. 3. Ask your IT administrator to invalidate all refresh tokens for your account in Azure Active Directory (the command is `Revoke-AzureADUserAllRefreshToken` in PowerShell, or use the Microsoft 365 admin center). 4. Confirm your MFA methods at aka.ms/mfasetup — remove any devices you don't recognize. 5. If you use the same password on other accounts, change those immediately. **If you installed software from the QR code:** 1. Disconnect the device from the corporate network immediately. 2. Notify your IT or security team — this is an incident that requires endpoint investigation. 3. Do not attempt to uninstall the software yourself before IT has imaged the device. **If you only opened the page without entering anything:** Risk is low. Close the browser, clear cache and cookies, and report the URL to your IT security team and to Microsoft at reportmessage.microsoft.com. For a broader action checklist, see [what to do after scanning a suspicious QR code](/i-scanned-a-qr-code-and-it-asked-for-my-password). ## The rule that covers all four variants Microsoft and Microsoft Teams never ask you to scan a QR code to sign in, enroll in MFA, review a shared file, or install an update. Every legitimate Teams notification links to a URL that begins with teams.microsoft.com or microsoftonline.com — and you should type those addresses manually rather than follow a QR code from an email or a printed notice. If your organization uses Zoom alongside Teams, the same QR phishing tactics apply there too. See the [Zoom QR code scam](/blog/zoom-qr-code-scam) page for the parallel playbook. ## See also - [What Is Quishing?](/blog/what-is-quishing) - [Microsoft QR Code Scam](/microsoft-qr-code-scam) - [I Scanned a QR Code and It Asked for My Password](/i-scanned-a-qr-code-and-it-asked-for-my-password) - [How to Protect Employees from QR Code Scams](/blog/how-to-protect-employees-from-qr-code-scams) - [Zoom QR Code Scam](/blog/zoom-qr-code-scam) - [QR Code Threat Map](/threat-map) Download QRsafer for [iOS](https://apps.apple.com/app/qrsafer/id6743708403) or [Android](https://play.google.com/store/apps/details?id=com.bedrockdigitalsolutions20.qrsafer) and preview the destination URL of any QR code — including one that arrived in a Teams message or a corporate email — before your browser opens it.