Does Microsoft Teams ever ask you to scan a QR code to log in or enroll in MFA?

No. Microsoft and Microsoft Teams never require you to scan a QR code to sign in, re-enroll in multi-factor authentication, or restore account access. Legitimate MFA enrollment is done inside the Microsoft Authenticator app or at aka.ms/mfasetup — never by scanning an emailed or printed QR code. If a QR code claims to link to a Teams or Microsoft 365 login or MFA page, treat it as a phishing attempt and report it to your IT department.

What should I do if I scanned a Teams QR code and entered my Microsoft password?

Act immediately. Sign in to account.microsoft.com and change your password, then go to mysignins.microsoft.com and revoke all active sessions. In the Microsoft 365 admin center (or ask your IT admin to do this), invalidate all refresh tokens for your account. Enable or re-verify multi-factor authentication. If you use the same password on other accounts, change those too. Report the incident to your IT or security team — a compromised Microsoft 365 account can be used to launch further attacks inside your organization.

Can a QR code in a Microsoft Teams chat actually be dangerous?

Yes. A QR code sent in a Teams direct message or channel post is just a link in a different form — if you scan it with your phone's camera, it opens whatever URL is encoded in it, bypassing any URL scanning your desktop Teams client might apply. Attackers compromise one employee's account, then use it to send malicious QR codes to teammates who trust the internal source. Always verify unexpected QR codes through a second channel (a phone call, a separate Slack or email) before scanning.

Does QRsafer protect against Microsoft Teams QR code scams?

Yes. If you receive a QR code in a Teams message, an HR email, or a printed notice, you can take a screenshot and scan it with QRsafer before your browser opens the link. QRsafer checks the destination URL against real-time threat intelligence — including known phishing domains, credential-harvesting pages, and fake Microsoft 365 login portals — and flags anything suspicious before a single page loads. Scan first, tap second.

Microsoft Teams QR Code Scam: How Attackers Exploit Enterprise Trust

A notification arrives in your inbox. Microsoft Teams branding, your company logo, an urgent subject line: Action required — verify your account before your next Teams meeting.

At the bottom of the email is a QR code.

This is a Microsoft Teams QR code scam — and it is engineered to exploit the two things that make enterprise phishing so dangerous: the trust employees place in internal communication tools, and the security blind spot that QR codes create inside corporate email gateways.

Microsoft Teams has 320 million monthly active users across organizations of every size. That scale makes it one of the highest-value impersonation targets in the world. Here is how attackers use it.

Why attackers use QR codes in enterprise phishing

Standard corporate email security — URL filtering, link rewriting, sandboxing — is designed to intercept clickable hyperlinks. A QR code is an image, not a link. Security scanners that routinely flag a phishing URL embedded in an email will pass the same URL embedded in a QR code without inspection.

This is not a theoretical gap. Microsoft itself documented QR-based phishing (sometimes called "quishing") in enterprise security advisories, specifically in the context of Microsoft 365 credential harvesting. Understanding what quishing is helps explain why this attack vector has grown so rapidly inside corporate environments.

Attack variant 1: Fake "Teams notification" email with a QR code

This is the most common enterprise variant.

You receive an email with Microsoft Teams branding — the correct logo, font, and color scheme — and a message that a colleague has shared a file with you, that your access to a shared channel has changed, or that your account requires verification. A QR code is included to "review the file" or "confirm your identity."

Scanning the code opens a page that mirrors the Microsoft 365 login screen with high fidelity: the same layout, the "Sign in to your account" prompt, even the pre-filled email address field. When you enter your password, it is captured by the attacker. If your organization uses Azure Active Directory or any SSO provider — Okta, Ping, Google Workspace — the phishing page often mirrors that provider's login screen instead, capturing OAuth tokens that may grant access to dozens of connected systems.

The rule: Microsoft Teams never requires you to scan a QR code to review a shared file, verify your account, or restore access to a channel. Shared files appear as clickable links inside the Teams app — not QR codes in emails.

Attack variant 2: QR code in a Teams direct message from a compromised account

This variant is more dangerous because it comes from inside the organization.

An attacker compromises one employee's Microsoft 365 account — often through a separate phishing attack or a credential leak — and uses that account to send internal Teams messages. Colleagues receive a DM from what looks like a trusted coworker or manager:

"Hey, can you scan this? It's the new MFA setup our IT team sent out."
"Secure file share for the project — they changed the access method."
"Join the new compliance channel through this code."

Because the message comes from a known account and arrives through Teams rather than email, recipients are significantly more likely to scan without scrutiny. The QR code leads to a credential-harvesting page. The attacker now has a second account, which they use to reach further into the organization.

If you receive an unexpected QR code in a Teams message — even from someone you know — verify it through a separate channel before scanning.

Attack variant 3: Fake IT department MFA enrollment QR codes

This variant is specifically tailored to organizational contexts where IT pushes MFA enrollment.

Attackers send emails or, in some cases, place printed notices in common office areas claiming to be from the company's IT or security team: "Your Microsoft authenticator app requires re-enrollment. Scan the QR code below to complete the process." The timing often coincides with real organizational events — a known security initiative, a merger, a policy change — to increase plausibility.

The QR code links to a page that either harvests Microsoft 365 credentials directly or intercepts the MFA enrollment flow to register the attacker's authenticator device instead of the employee's. The victim believes they completed a legitimate security task. In reality, the attacker now controls MFA for that account.

Real MFA enrollment through Microsoft is done inside the Microsoft Authenticator app, at aka.ms/mfasetup, or through a link provided directly inside the Microsoft 365 admin portal — not through a QR code in an unsolicited email or a printed flyer.

Attack variant 4: Fake "Teams update required" QR code

The fourth variant targets the device rather than the credentials.

An email or Teams notification announces a mandatory Teams desktop or mobile update. The update is not available through the normal app store — you need to scan a QR code to download it directly. The code links to a trojanized installer that installs malware alongside a convincing, functional Teams app.

This approach also appears on printed materials in shared spaces — office lobbies, conference rooms, cafeterias — where an "IT Update Required" notice with a QR code can be left without raising immediate suspicion.

Microsoft Teams updates are delivered automatically through the Teams desktop client or through your organization's device management system (Microsoft Intune, JAMF, or similar). If an update requires manual installation via QR code, it is not a real Microsoft Teams update.

What to do if you scanned a Teams QR code

If you entered your Microsoft password:

Go to account.microsoft.com and change your password immediately.
Go to mysignins.microsoft.com → Active Sessions and sign out of all sessions.
Ask your IT administrator to invalidate all refresh tokens for your account in Azure Active Directory (the command is Revoke-AzureADUserAllRefreshToken in PowerShell, or use the Microsoft 365 admin center).
Confirm your MFA methods at aka.ms/mfasetup — remove any devices you don't recognize.
If you use the same password on other accounts, change those immediately.

If you installed software from the QR code:

Disconnect the device from the corporate network immediately.
Notify your IT or security team — this is an incident that requires endpoint investigation.
Do not attempt to uninstall the software yourself before IT has imaged the device.

If you only opened the page without entering anything: Risk is low. Close the browser, clear cache and cookies, and report the URL to your IT security team and to Microsoft at reportmessage.microsoft.com.

For a broader action checklist, see what to do after scanning a suspicious QR code.

The rule that covers all four variants

Microsoft and Microsoft Teams never ask you to scan a QR code to sign in, enroll in MFA, review a shared file, or install an update. Every legitimate Teams notification links to a URL that begins with teams.microsoft.com or microsoftonline.com — and you should type those addresses manually rather than follow a QR code from an email or a printed notice.

If your organization uses Zoom alongside Teams, the same QR phishing tactics apply there too. See the Zoom QR code scam page for the parallel playbook.